Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping documents 0020398484995500.exe

Overview

General Information

Sample name:DHL Shipping documents 0020398484995500.exe
Analysis ID:1523785
MD5:1506261e1a6e12c9eadfcbe91a859f76
SHA1:061aa09172c0daef3fc975919a02413ab3a6f01e
SHA256:0dc8ced22931e20ec965bc36c06a974016fe223434d9553007b4a6c04973b2cb
Tags:DHLDHLIndonesiaexeuser-ngokoptmp
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33afd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33b6f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33bf9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33c8b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33cf5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33d67:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33dfd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33e8d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30e3d:$s2: GetPrivateProfileString
                • 0x30540:$s3: get_OSFullName
                • 0x31c11:$s5: remove_Key
                • 0x31dd9:$s5: remove_Key
                • 0x32d01:$s6: FtpWebRequest
                • 0x33adf:$s7: logins
                • 0x34051:$s7: logins
                • 0x36d62:$s7: logins
                • 0x36e14:$s7: logins
                • 0x38766:$s7: logins
                • 0x379ae:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: DHL Shipping documents 0020398484995500.exeAvira: detected
                  Found malware configuration
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
                  Multi AV Scanner detection for domain / URL
                  Source: ftp.concaribe.comVirustotal: Detection: 6%Perma Link
                  Source: http://ftp.concaribe.comVirustotal: Detection: 6%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: DHL Shipping documents 0020398484995500.exeReversingLabs: Detection: 34%
                  Source: DHL Shipping documents 0020398484995500.exeVirustotal: Detection: 40%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: DHL Shipping documents 0020398484995500.exeJoe Sandbox ML: detected
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 192.185.13.234 192.185.13.234
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.concaribe.com
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://concaribe.com
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.concaribe.com
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: DHL Shipping documents 0020398484995500.exeString found in binary or memory: https://github.com/dnSpy/dnSpy/wiki/Debugging-Unity-Games
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: DHL Shipping documents 0020398484995500.exe
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 0_2_0149E00C0_2_0149E00C
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FDA2283_2_00FDA228
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FDE7703_2_00FDE770
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FDAAB03_2_00FDAAB0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FD4A583_2_00FD4A58
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FD3E403_2_00FD3E40
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_00FD41883_2_00FD4188
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7A8B43_2_06A7A8B4
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7A5983_2_06A7A598
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7BDF03_2_06A7BDF0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7DBF03_2_06A7DBF0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A956A03_2_06A956A0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A966C03_2_06A966C0
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A9C2403_2_06A9C240
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A923803_2_06A92380
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A9B3003_2_06A9B300
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A97E403_2_06A97E40
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A977603_2_06A97760
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A9E4683_2_06A9E468
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A900403_2_06A90040
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A95DC83_2_06A95DC8
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A900063_2_06A90006
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareGame.dll: vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2049391209.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050654227.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000000.00000000.2044424346.0000000000BB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepoiliu.exe. vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513950685.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: OriginalFilenamepoiliu.exe. vs DHL Shipping documents 0020398484995500.exe
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/0@2/2
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMutant created: NULL
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DHL Shipping documents 0020398484995500.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DHL Shipping documents 0020398484995500.exeReversingLabs: Detection: 34%
                  Source: DHL Shipping documents 0020398484995500.exeVirustotal: Detection: 40%
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: DHL Shipping documents 0020398484995500.exe, RandomGenerator.cs.Net Code: Polan System.AppDomain.Load(byte[])
                  Source: DHL Shipping documents 0020398484995500.exe, MonoTypeLoaderImpl.cs.Net Code: Load
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateInstance
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateInstanceNoConstructor
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateSZArrayCore
                  Source: DHL Shipping documents 0020398484995500.exe, DbgMonoDebugInternalRuntimeImpl.cs.Net Code: CreateArrayCore
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: 0xEB230CD7 [Tue Jan 4 01:26:47 2095 UTC]
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A7FEF0 push es; ret 3_2_06A7FEF4
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeCode function: 3_2_06A73FB7 push 2406B7DAh; retf 3_2_06A73FD5
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: section name: .text entropy: 7.455106876960115
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, Form1.csHigh entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csHigh entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, Form1.csHigh entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csHigh entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, Form1.csHigh entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
                  Source: 0.2.DHL Shipping documents 0020398484995500.exe.57d0000.2.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csHigh entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 4FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599777Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598058Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597947Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597835Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596078Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595968Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595640Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595526Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595422Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594874Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594437Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWindow / User API: threadDelayed 2108Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWindow / User API: threadDelayed 7747Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 940Thread sleep count: 2108 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 940Thread sleep count: 7747 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599777s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598796s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -598058s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597947s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597835s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -597062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -596078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595968s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595526s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -595093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594874s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe TID: 1088Thread sleep time: -594437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599777Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 598058Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597947Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597835Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597718Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597609Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596843Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596297Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 596078Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595968Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595859Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595750Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595640Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595526Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595422Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594874Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeThread delayed: delay time: 594437Jump to behavior
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: ResumeVirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: InitializeVirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: get_VirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: get_MonoVirtualMachine
                  Source: DHL Shipping documents 0020398484995500.exeBinary or memory string: VirtualMachineManager
                  Source: DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4515719034.00000000010AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeProcess created: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe "C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 5016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 6396, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 5016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 6396, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL Shipping documents 0020398484995500.exe.401af80.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 5016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL Shipping documents 0020398484995500.exe PID: 6396, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		141
                  Virtualization/Sandbox Evasion                  		1
                  Credentials in Registry                  		111
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares2
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS141
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                  Software Packing                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Timestomp                  		DCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc Filesystem24
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DHL Shipping documents 0020398484995500.exe34%ReversingLabsWin32.Trojan.GenSteal
                  DHL Shipping documents 0020398484995500.exe41%VirustotalBrowse
                  DHL Shipping documents 0020398484995500.exe100%AviraHEUR/AGEN.1307569
                  DHL Shipping documents 0020398484995500.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  api.ipify.org0%VirustotalBrowse
                  concaribe.com3%VirustotalBrowse
                  ftp.concaribe.com6%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://api.ipify.org/t0%VirustotalBrowse
                  http://ftp.concaribe.com6%VirustotalBrowse
                  https://github.com/dnSpy/dnSpy/wiki/Debugging-Unity-Games0%VirustotalBrowse
                  http://concaribe.com3%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		104.26.12.205
                  		truefalseunknown
                  concaribe.com
                  		192.185.13.234
                  		truetrueunknown
                  ftp.concaribe.com
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://api.ipify.orgDHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ftp.concaribe.comDHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmptrueunknown
                  https://account.dyn.com/DHL Shipping documents 0020398484995500.exe, 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping documents 0020398484995500.exe, 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://concaribe.comDHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://api.ipify.org/tDHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL Shipping documents 0020398484995500.exe, 00000003.00000002.4517263503.0000000002E41000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/dnSpy/dnSpy/wiki/Debugging-Unity-GamesDHL Shipping documents 0020398484995500.exefalseunknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.26.12.205
                  		api.ipify.orgUnited States
                  		13335CLOUDFLARENETUSfalse
                  192.185.13.234
                  		concaribe.comUnited States
                  		46606UNIFIEDLAYER-AS-1UStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1523785
                  Start date and time:2024-10-02 02:42:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 58s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:DHL Shipping documents 0020398484995500.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@5/0@2/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 71
                  • Number of non-executed functions: 7
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  20:43:05API Interceptor12327486x Sleep call for process: DHL Shipping documents 0020398484995500.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.26.12.205Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                  • api.ipify.org/
                  2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, VidarBrowse
                  • api.ipify.org/
                  SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                  • api.ipify.org/
                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • api.ipify.org/
                  192.185.13.234draft bl_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • concaribe.com/wp-includes/assets/GkRyQpLAQhPD144.bin

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  api.ipify.orgPrismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                  • 104.26.13.205
                  Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                  • 104.26.12.205
                  ELECTRONIC RECEIPT_Opcsa.htmlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                  • 172.67.74.152
                  grace.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205
                  file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 104.26.13.205
                  https://www.canva.com/design/DAGSL2lLp_4/lQGTdiRa89y3fkgkaFc-uQ/edit?utm_content=DAGSL2lLp_4&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.74.152
                  Bank Payment $38,735.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205
                  2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                  • 172.67.74.152
                  2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                  • 104.26.12.205
                  Shipping documents 000029393994400000000000.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUShttps://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                  • 104.21.46.216
                  https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                  • 104.21.55.67
                  Electronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                  • 104.17.25.14
                  http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630Get hashmaliciousUnknownBrowse
                  • 172.67.180.104
                  http://www.johnhdaniel.comGet hashmaliciousUnknownBrowse
                  • 104.18.36.155
                  https://convertwithwave.comGet hashmaliciousUnknownBrowse
                  • 104.18.30.234
                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • 172.67.152.190
                  http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                  • 104.26.4.62
                  https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                  • 104.22.51.98
                  https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.noGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  UNIFIEDLAYER-AS-1USElectronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                  • 69.49.245.172
                  https://email.mg.pmctraining.com/c/eJwUzDGOhSAQANDTSCfBAQQL2n-PgRmUDaAh_E329hvbVzwKpJF3Ehw2B84ro50WV0j68CYB2SNnQrVvLloHPjtLjAq9KAFAJ7thXDVQWlEdcfVg82oOBTo6s9ucFqPaKZ-W5sDSSz9lupuogbhPrBkT10n4ooxjgU8jXuDzfeqNJJ_rESP8fLGXiXJw6ddd6S3_GnaczPIep_gN8B8AAP__bcA-LwGet hashmaliciousHTMLPhisherBrowse
                  • 216.172.173.3
                  https://sharing.clickup.com/9011385758/t/h/868a15nvk/VTTN7SYFPHZE3ITGet hashmaliciousHTMLPhisherBrowse
                  • 67.20.70.239
                  Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                  • 69.49.245.172
                  Sales_Contract_Main_417053608_09.2024.pdfGet hashmaliciousUnknownBrowse
                  • 108.179.194.43
                  https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                  • 108.179.252.163
                  Sales_Contract_Main_417053608_09.2024.pdfGet hashmaliciousUnknownBrowse
                  • 192.185.12.194
                  https://abby-gatenby.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVNucEJVREU9JnVpZD1VU0VSMDMwOTIwMjRVNDYwOTAzMDE=N0123NGet hashmaliciousUnknownBrowse
                  • 192.185.129.84
                  https://thebrasilians.hosted.phplist.com/lists/lt.php?tid=KkkFBgMBXQUHUEsCB1QHTwZWAFYbCQpVBx0EBQABCgADAgJXVl1FVAIAUVFdUVhPBgUCVBsEA1JVHQ8BW1cUUAQGV1cBAF1aUgNQHVAHBFEFBgVRGwEAVQEdAlcLUBQKBAEDHlMAAVILAVBQBwUDBAGet hashmaliciousUnknownBrowse
                  • 50.6.153.166
                  Electronic_Receipt_ATT0001.htmGet hashmaliciousUnknownBrowse
                  • 69.49.245.172

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0ehttp://tvsurf.jp/Get hashmaliciousUnknownBrowse
                  • 104.26.12.205
                  https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdfGet hashmaliciousUnknownBrowse
                  • 104.26.12.205
                  https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                  • 104.26.12.205
                  OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                  • 104.26.12.205
                  Pedido09669281099195.com.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                  • 104.26.12.205
                  https://finalstepgetshere.com/uploads/beta9.zipGet hashmaliciousLummaCBrowse
                  • 104.26.12.205
                  https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                  • 104.26.12.205
                  origin.bin.exeGet hashmaliciousUnknownBrowse
                  • 104.26.12.205
                  origin.bin.exeGet hashmaliciousUnknownBrowse
                  • 104.26.12.205
                  Play_VM-Now(Tina.lawvey)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 104.26.12.205

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.442780006094083
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:DHL Shipping documents 0020398484995500.exe
                  File size:525'824 bytes
                  MD5:1506261e1a6e12c9eadfcbe91a859f76
                  SHA1:061aa09172c0daef3fc975919a02413ab3a6f01e
                  SHA256:0dc8ced22931e20ec965bc36c06a974016fe223434d9553007b4a6c04973b2cb
                  SHA512:d8491578697b3308925637c9981d1544095741586e9369cec9330f8948c8dd7a09ffe9bf450f25e4c4a21e91eff00283d10e615acb866748dece290897ee88b5
                  SSDEEP:12288:d4S3sE6hTGrF3CKf04A1+0MX2dsFvs1HGqR:yh6rF3CKf1A1zKxJsZP
                  TLSH:11B4D01963F8472BE9EF4779F0240801C7B6FA87A0A7DF4D9984A8FD1853350EA5136B
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#...............0.............N.... ... ....@.. .......................`............@................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x481b4e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xEB230CD7 [Tue Jan 4 01:26:47 2095 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x81b000x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x596.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x7fb540x7fc00941f472dd27c93adbd306139e5342a67False0.7201947773972602data7.455106876960115IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x820000x5960x6004d94965f2f43483401a63532580aca61False0.4134114583333333data4.027908067359779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x840000xc0x200ebb0228a152846e4924fc2be7bac6feeFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x820a00x30cdata0.42948717948717946
                  RT_MANIFEST0x823ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 2, 2024 02:43:04.199244022 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.199284077 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.199392080 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.205997944 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.206012011 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.688038111 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.688110113 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.692524910 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.692543030 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.692883968 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.743757963 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.747919083 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.795397997 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.875178099 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.875344038 CEST44349706104.26.12.205192.168.2.5
                  Oct 2, 2024 02:43:04.875449896 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:04.911546946 CEST49706443192.168.2.5104.26.12.205
                  Oct 2, 2024 02:43:06.272665977 CEST4970921192.168.2.5192.185.13.234
                  Oct 2, 2024 02:43:06.277501106 CEST2149709192.185.13.234192.168.2.5
                  Oct 2, 2024 02:43:06.277648926 CEST4970921192.168.2.5192.185.13.234
                  Oct 2, 2024 02:43:06.281378031 CEST4970921192.168.2.5192.185.13.234
                  Oct 2, 2024 02:43:06.286196947 CEST2149709192.185.13.234192.168.2.5
                  Oct 2, 2024 02:43:06.286279917 CEST4970921192.168.2.5192.185.13.234

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 2, 2024 02:43:04.182080030 CEST5061953192.168.2.51.1.1.1
                  Oct 2, 2024 02:43:04.188905954 CEST53506191.1.1.1192.168.2.5
                  Oct 2, 2024 02:43:05.958652020 CEST6116153192.168.2.51.1.1.1
                  Oct 2, 2024 02:43:06.271703005 CEST53611611.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 2, 2024 02:43:04.182080030 CEST192.168.2.51.1.1.10x1342Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                  Oct 2, 2024 02:43:05.958652020 CEST192.168.2.51.1.1.10xe8bcStandard query (0)ftp.concaribe.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 2, 2024 02:43:04.188905954 CEST1.1.1.1192.168.2.50x1342No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                  Oct 2, 2024 02:43:04.188905954 CEST1.1.1.1192.168.2.50x1342No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                  Oct 2, 2024 02:43:04.188905954 CEST1.1.1.1192.168.2.50x1342No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                  Oct 2, 2024 02:43:06.271703005 CEST1.1.1.1192.168.2.50xe8bcNo error (0)ftp.concaribe.comconcaribe.comCNAME (Canonical name)IN (0x0001)false
                  Oct 2, 2024 02:43:06.271703005 CEST1.1.1.1192.168.2.50xe8bcNo error (0)concaribe.com192.185.13.234A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • api.ipify.org

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549706104.26.12.2054436396C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe
                  TimestampBytes transferredDirectionData
                  2024-10-02 00:43:04 UTC155OUTGET / HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                  Host: api.ipify.org
                  Connection: Keep-Alive
                  2024-10-02 00:43:04 UTC211INHTTP/1.1 200 OK
                  Date: Wed, 02 Oct 2024 00:43:04 GMT
                  Content-Type: text/plain
                  Content-Length: 11
                  Connection: close
                  Vary: Origin
                  CF-Cache-Status: DYNAMIC
                  Server: cloudflare
                  CF-RAY: 8cc0a7fb0ae68c4d-EWR
                  2024-10-02 00:43:04 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                  Data Ascii: 8.46.123.33


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:20:43:02
                  Start date:01/10/2024
                  Path:C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Imagebase:0xbb0000
                  File size:525'824 bytes
                  MD5 hash:1506261E1A6E12C9EADFCBE91A859F76
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2050716658.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:20:43:02
                  Start date:01/10/2024
                  Path:C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Imagebase:0x330000
                  File size:525'824 bytes
                  MD5 hash:1506261E1A6E12C9EADFCBE91A859F76
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:3
                  Start time:20:43:02
                  Start date:01/10/2024
                  Path:C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\DHL Shipping documents 0020398484995500.exe"
                  Imagebase:0xa20000
                  File size:525'824 bytes
                  MD5 hash:1506261E1A6E12C9EADFCBE91A859F76
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:10.3%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:78
                    Total number of Limit Nodes:8
                    execution_graph 15412 1494668 15413 149467f 15412->15413 15414 149468b 15413->15414 15418 1494781 15413->15418 15423 1494204 15414->15423 15419 14947a5 15418->15419 15427 1494880 15419->15427 15431 1494890 15419->15431 15424 149420f 15423->15424 15439 1495d50 15424->15439 15426 14970c5 15428 14948b7 15427->15428 15430 1494994 15428->15430 15435 14944e4 15428->15435 15432 14948b7 15431->15432 15433 1494994 15432->15433 15434 14944e4 CreateActCtxA 15432->15434 15434->15433 15436 1495920 CreateActCtxA 15435->15436 15438 14959e3 15436->15438 15438->15438 15440 1495d5b 15439->15440 15443 1495d70 15440->15443 15442 14972cd 15442->15426 15444 1495d7b 15443->15444 15447 1495da0 15444->15447 15446 14973a2 15446->15442 15448 1495dab 15447->15448 15451 1495dd0 15448->15451 15450 14974a5 15450->15446 15452 1495ddb 15451->15452 15457 1497bf0 15452->15457 15454 1498820 15455 1498a49 15454->15455 15461 149d1a9 15454->15461 15455->15450 15458 1497bfb 15457->15458 15459 1499c92 15458->15459 15466 1499ce0 15458->15466 15459->15454 15462 149d1d9 15461->15462 15463 149d1fd 15462->15463 15470 149d368 15462->15470 15474 149d357 15462->15474 15463->15455 15467 1499d33 15466->15467 15468 1499d68 15467->15468 15469 1499d3e KiUserCallbackDispatcher 15467->15469 15468->15459 15469->15468 15473 149d375 15470->15473 15471 149d3af 15471->15463 15473->15471 15478 149cf48 15473->15478 15475 149d375 15474->15475 15476 149d3af 15475->15476 15477 149cf48 KiUserCallbackDispatcher 15475->15477 15476->15463 15477->15476 15479 149cf53 15478->15479 15481 149dcc0 15479->15481 15482 149d074 15479->15482 15483 149d07f 15482->15483 15484 1495dd0 KiUserCallbackDispatcher 15483->15484 15485 149dd2f 15484->15485 15485->15481 15486 149d6c8 DuplicateHandle 15487 149d75e 15486->15487 15488 149b0f0 15489 149b0ff 15488->15489 15492 149b1e8 15488->15492 15497 149b1da 15488->15497 15493 149b21c 15492->15493 15494 149b1f9 15492->15494 15493->15489 15494->15493 15495 149b420 GetModuleHandleW 15494->15495 15496 149b44d 15495->15496 15496->15489 15498 149b1f9 15497->15498 15499 149b21c 15497->15499 15498->15499 15500 149b420 GetModuleHandleW 15498->15500 15499->15489 15501 149b44d 15500->15501 15501->15489 15502 149d480 15503 149d4c6 GetCurrentProcess 15502->15503 15505 149d518 GetCurrentThread 15503->15505 15506 149d511 15503->15506 15507 149d54e 15505->15507 15508 149d555 GetCurrentProcess 15505->15508 15506->15505 15507->15508 15511 149d58b 15508->15511 15509 149d5b3 GetCurrentThreadId 15510 149d5e4 15509->15510 15511->15509

                    Executed Functions

                    Function 0149D470 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 294 149d470-149d50f GetCurrentProcess 299 149d518-149d54c GetCurrentThread 294->299 300 149d511-149d517 294->300 301 149d54e-149d554 299->301 302 149d555-149d589 GetCurrentProcess 299->302 300->299 301->302 304 149d58b-149d591 302->304 305 149d592-149d5ad call 149d64f 302->305 304->305 308 149d5b3-149d5e2 GetCurrentThreadId 305->308 309 149d5eb-149d64d 308->309 310 149d5e4-149d5ea 308->310 310->309
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0149D4FE
                    • GetCurrentThread.KERNEL32 ref: 0149D53B
                    • GetCurrentProcess.KERNEL32 ref: 0149D578
                    • GetCurrentThreadId.KERNEL32 ref: 0149D5D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 9f5bbf60892b75610a52dd05896464bf5341e85609bb496c023e8c6ddf5c912b
                    • Instruction ID: 7bc3978d2f3dc6ace7ba9f86db405a51a3a8a4dfd429a605636375ebe1a5fa50
                    • Opcode Fuzzy Hash: 9f5bbf60892b75610a52dd05896464bf5341e85609bb496c023e8c6ddf5c912b
                    • Instruction Fuzzy Hash: 0B5127B09003498FDB18DFA9D548B9EBFF1FF88314F248459D419AB360D7389944CB65
                    Function 0149D480 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 317 149d480-149d50f GetCurrentProcess 321 149d518-149d54c GetCurrentThread 317->321 322 149d511-149d517 317->322 323 149d54e-149d554 321->323 324 149d555-149d589 GetCurrentProcess 321->324 322->321 323->324 326 149d58b-149d591 324->326 327 149d592-149d5ad call 149d64f 324->327 326->327 330 149d5b3-149d5e2 GetCurrentThreadId 327->330 331 149d5eb-149d64d 330->331 332 149d5e4-149d5ea 330->332 332->331
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0149D4FE
                    • GetCurrentThread.KERNEL32 ref: 0149D53B
                    • GetCurrentProcess.KERNEL32 ref: 0149D578
                    • GetCurrentThreadId.KERNEL32 ref: 0149D5D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: eeaa1b639e6106b928e0b312b8bd97638edbcbb693452fab5bae5dbba410066d
                    • Instruction ID: bad571de97b35d95b584fba149f611409fd2cdd3263e95b98e6f4cb409088e00
                    • Opcode Fuzzy Hash: eeaa1b639e6106b928e0b312b8bd97638edbcbb693452fab5bae5dbba410066d
                    • Instruction Fuzzy Hash: 945135B09003498FDB18DFA9D548B9EBFF5FF88314F208459D519AB360D7389944CB65
                    Function 0149B1E8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 385 149b1e8-149b1f7 386 149b1f9-149b206 call 149ab8c 385->386 387 149b223-149b227 385->387 394 149b208 386->394 395 149b21c 386->395 389 149b229-149b233 387->389 390 149b23b-149b27c 387->390 389->390 396 149b289-149b297 390->396 397 149b27e-149b286 390->397 441 149b20e call 149b480 394->441 442 149b20e call 149b472 394->442 395->387 398 149b299-149b29e 396->398 399 149b2bb-149b2bd 396->399 397->396 401 149b2a9 398->401 402 149b2a0-149b2a7 call 149ab98 398->402 404 149b2c0-149b2c7 399->404 400 149b214-149b216 400->395 403 149b358-149b418 400->403 406 149b2ab-149b2b9 401->406 402->406 436 149b41a-149b41d 403->436 437 149b420-149b44b GetModuleHandleW 403->437 407 149b2c9-149b2d1 404->407 408 149b2d4-149b2db 404->408 406->404 407->408 411 149b2e8-149b2f1 call 149aba8 408->411 412 149b2dd-149b2e5 408->412 416 149b2fe-149b303 411->416 417 149b2f3-149b2fb 411->417 412->411 418 149b321-149b32e 416->418 419 149b305-149b30c 416->419 417->416 426 149b351-149b357 418->426 427 149b330-149b34e 418->427 419->418 421 149b30e-149b31e call 149abb8 call 149abc8 419->421 421->418 427->426 436->437 438 149b44d-149b453 437->438 439 149b454-149b468 437->439 438->439 441->400 442->400
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0149B43E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 3b93770738f6c2dbd7b42b80a15f9b138e66f09ee0e8cf5526b6930bec07dc1e
                    • Instruction ID: 543a8827a9ec7bd4a9620bf2c554097214d15442b98346ef4dc22e6d23220982
                    • Opcode Fuzzy Hash: 3b93770738f6c2dbd7b42b80a15f9b138e66f09ee0e8cf5526b6930bec07dc1e
                    • Instruction Fuzzy Hash: ED713670A00B058FDB24DF6AE044B5ABBF1FF88204F108A6ED49ADBB64D774E445CB90
                    Function 01495915 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 443 1495915-149591b 444 1495924-14959e1 CreateActCtxA 443->444 446 14959ea-1495a44 444->446 447 14959e3-14959e9 444->447 454 1495a53-1495a57 446->454 455 1495a46-1495a49 446->455 447->446 456 1495a59-1495a65 454->456 457 1495a68 454->457 455->454 456->457 459 1495a69 457->459 459->459
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 014959D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 4c8fdf02174a95b80e9092030bd2dd9a9e0a8bf17f351e00a3a6253d429d24e9
                    • Instruction ID: 4025c90d7f85fb9fc900499c1b55f6d807d700e95a1328a5cb26747b6375f718
                    • Opcode Fuzzy Hash: 4c8fdf02174a95b80e9092030bd2dd9a9e0a8bf17f351e00a3a6253d429d24e9
                    • Instruction Fuzzy Hash: 7341F1B0C00619CFEB25DFA9C884BDEBBF5BF49304F20805AD408AB264DB755946CF91
                    Function 014944E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 460 14944e4-14959e1 CreateActCtxA 463 14959ea-1495a44 460->463 464 14959e3-14959e9 460->464 471 1495a53-1495a57 463->471 472 1495a46-1495a49 463->472 464->463 473 1495a59-1495a65 471->473 474 1495a68 471->474 472->471 473->474 476 1495a69 474->476 476->476
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 014959D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 72006015bcc5f96ce7882fcac318ed84a61f2ef088eae9b980710de48e1cb9b2
                    • Instruction ID: e9fe79a6cf038806a1ecfdef8e1a63e72a96ea6cc3bf9c8f036402fd1e409c2d
                    • Opcode Fuzzy Hash: 72006015bcc5f96ce7882fcac318ed84a61f2ef088eae9b980710de48e1cb9b2
                    • Instruction Fuzzy Hash: 0D41D1B0C00719CFDB25DFA9C844B9EBBF5BF49304F20806AD408AB265DB756946CF91
                    Function 0149D6C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 483 149d6c8-149d75c DuplicateHandle 484 149d75e-149d764 483->484 485 149d765-149d782 483->485 484->485
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149D74F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 54f0971c1760a3d8bebbd1583102e0fadb61e8218f0c90c8b126634d02172c74
                    • Instruction ID: ebfe7b68ef8847be5831e326ec7bec6f8577f6f7290ee81beac7e24a98039ed6
                    • Opcode Fuzzy Hash: 54f0971c1760a3d8bebbd1583102e0fadb61e8218f0c90c8b126634d02172c74
                    • Instruction Fuzzy Hash: 8A21E2B5D002489FDB10CFAAD984ADEBFF9FB48310F14801AE918A3310D378A940CFA1
                    Function 0149D6C1 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 477 149d6c1 478 149d6cb-149d75c DuplicateHandle 477->478 479 149d75e-149d764 478->479 480 149d765-149d782 478->480 479->480
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149D74F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: fbf76cac82b77f4ae67383676f7d2199e600b40fb3b492f871be8ab60ce2cae0
                    • Instruction ID: f04a3452e3a989409229886a581534afd6fa0a26aa1752e8e58ed6fbb2b553ba
                    • Opcode Fuzzy Hash: fbf76cac82b77f4ae67383676f7d2199e600b40fb3b492f871be8ab60ce2cae0
                    • Instruction Fuzzy Hash: B92103B5C002489FDB10CFAAD984ADEBFF4EB48320F14811AE918A3350D338A944CFA1
                    Function 01499CE0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 488 1499ce0-1499d3c 490 1499d8a-1499da3 488->490 491 1499d3e-1499d66 KiUserCallbackDispatcher 488->491 492 1499d68-1499d6e 491->492 493 1499d6f-1499d83 491->493 492->493 493->490
                    APIs
                    • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 01499D55
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: CallbackDispatcherUser
                    • String ID:
                    • API String ID: 2492992576-0
                    • Opcode ID: d3c4f63c4ad945e69512592383eff93a6a44a371fc953684a5ae25c18e094e89
                    • Instruction ID: 3ff94d0614d93790e49fc5bf7c0089b5e3f899e4cbd614b79df40776f86d9ec8
                    • Opcode Fuzzy Hash: d3c4f63c4ad945e69512592383eff93a6a44a371fc953684a5ae25c18e094e89
                    • Instruction Fuzzy Hash: 2521AEB0804398CFDB21CFA9D4447EEBFF4EB05314F14449AC5A9AB256D3395909CFA1
                    Function 0149B3D2 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 495 149b3d2-149b418 497 149b41a-149b41d 495->497 498 149b420-149b44b GetModuleHandleW 495->498 497->498 499 149b44d-149b453 498->499 500 149b454-149b468 498->500 499->500
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0149B43E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: aabf0b8ec98adda73105aaf2c3384e1a71940300b7d121dbebc4a21f6f1ddb17
                    • Instruction ID: 26c11f7730261c147778ed793ee200201fff5c2f1b983b0f54a87a0937749285
                    • Opcode Fuzzy Hash: aabf0b8ec98adda73105aaf2c3384e1a71940300b7d121dbebc4a21f6f1ddb17
                    • Instruction Fuzzy Hash: 781120B5C007488FDB20DF9AD444ADEBBF4EF88324F10852AC529A7650C378A544CFA0
                    Function 0149B3D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 502 149b3d8-149b418 503 149b41a-149b41d 502->503 504 149b420-149b44b GetModuleHandleW 502->504 503->504 505 149b44d-149b453 504->505 506 149b454-149b468 504->506 505->506
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0149B43E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 30c847d8528761c733827589c8cd74b71e3a154d97604d8ff231e70fd0ee25e6
                    • Instruction ID: 3e9a1aefc99ad92fd9c7ca13b5a0ad1be42eeb2f1aeb82a0a5b46e2e64274306
                    • Opcode Fuzzy Hash: 30c847d8528761c733827589c8cd74b71e3a154d97604d8ff231e70fd0ee25e6
                    • Instruction Fuzzy Hash: 69111DB6C002498FDB10CF9AD444ADEFBF9EF88324F10842AD929A7710C379A545CFA1
                    Function 0113D01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049130640.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_113d000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f196911d6aefb393f784555fa402cdfd4837248b0c169bf2f972271054869c95
                    • Instruction ID: 3c59d1c46d7b31c557343b6598e98a018db98aa733ef74847803c38939afd89e
                    • Opcode Fuzzy Hash: f196911d6aefb393f784555fa402cdfd4837248b0c169bf2f972271054869c95
                    • Instruction Fuzzy Hash: 21210071604200DFDF19DFA8E980B26FF65FB88714F60C569E94A0B25AC33AD406CA62
                    Function 0113D006 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049130640.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_113d000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed2abb2bccde7827d42c7a59aaa43e8ed39c4d52164bd8b83b7af2a007c4d36e
                    • Instruction ID: e594d8c0af72ccea2959db82aed2301ebf81e5510725d091c75516d2b0c390fd
                    • Opcode Fuzzy Hash: ed2abb2bccde7827d42c7a59aaa43e8ed39c4d52164bd8b83b7af2a007c4d36e
                    • Instruction Fuzzy Hash: 8B2180755083809FCB07CF64D994B11BF71FB86214F28C5DAD8498F2A7C33A981ACB62

                    Non-executed Functions

                    Function 0149E00C Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2049913355.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1490000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 932dc78e044309a2676d3e96f40f961dfc10ce733786b519760623f5e2d33ba3
                    • Instruction ID: 51559ec80c14fdf1cb41b23099acc5fae0f10f97a174ce082bafd5e0e735f0e6
                    • Opcode Fuzzy Hash: 932dc78e044309a2676d3e96f40f961dfc10ce733786b519760623f5e2d33ba3
                    • Instruction Fuzzy Hash: 7DA14B32E002168FCF19DFB5C88459EBFB2FF95300B15456AE906BB265DB31D95ACB80

                    Execution Graph

                    Execution Coverage:11.6%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:83
                    Total number of Limit Nodes:11
                    execution_graph 42384 fd0848 42385 fd084e 42384->42385 42386 fd091b 42385->42386 42390 fd1342 42385->42390 42394 6a72108 42385->42394 42398 6a720f8 42385->42398 42391 fd134b 42390->42391 42392 fd1440 42391->42392 42402 fd7e71 42391->42402 42392->42385 42395 6a72117 42394->42395 42417 6a71864 42395->42417 42399 6a72108 42398->42399 42400 6a71864 GetModuleHandleW 42399->42400 42401 6a72138 42400->42401 42401->42385 42403 fd7e7b 42402->42403 42404 fd7f31 42403->42404 42407 6a9fa28 42403->42407 42412 6a9fa18 42403->42412 42404->42391 42409 6a9fa3d 42407->42409 42408 6a9fc52 42408->42404 42409->42408 42410 6a9fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx 42409->42410 42411 6a9fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 42409->42411 42410->42409 42411->42409 42414 6a9fa3d 42412->42414 42413 6a9fc52 42413->42404 42414->42413 42415 6a9fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 42414->42415 42416 6a9fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx 42414->42416 42415->42414 42416->42414 42418 6a7186f 42417->42418 42421 6a72fcc 42418->42421 42420 6a73abe 42420->42420 42422 6a72fd7 42421->42422 42423 6a741e4 42422->42423 42425 6a75e68 42422->42425 42423->42420 42426 6a75e89 42425->42426 42427 6a75ead 42426->42427 42429 6a76018 42426->42429 42427->42423 42430 6a76025 42429->42430 42431 6a7605e 42430->42431 42433 6a75230 42430->42433 42431->42427 42434 6a7523b 42433->42434 42436 6a760d0 42434->42436 42437 6a75264 42434->42437 42438 6a7526f 42437->42438 42444 6a75274 42438->42444 42440 6a7613f 42448 6a7b438 42440->42448 42454 6a7b450 42440->42454 42441 6a76179 42441->42436 42445 6a7527f 42444->42445 42446 6a773c8 42445->42446 42447 6a75e68 GetModuleHandleW 42445->42447 42446->42440 42447->42446 42450 6a7b4cd 42448->42450 42451 6a7b481 42448->42451 42449 6a7b48d 42449->42441 42450->42441 42451->42449 42460 6a7b6b8 42451->42460 42464 6a7b6c8 42451->42464 42456 6a7b4cd 42454->42456 42457 6a7b481 42454->42457 42455 6a7b48d 42455->42441 42456->42441 42457->42455 42458 6a7b6b8 GetModuleHandleW 42457->42458 42459 6a7b6c8 GetModuleHandleW 42457->42459 42458->42456 42459->42456 42461 6a7b6c8 42460->42461 42467 6a7b708 42461->42467 42462 6a7b6d2 42462->42450 42466 6a7b708 GetModuleHandleW 42464->42466 42465 6a7b6d2 42465->42450 42466->42465 42469 6a7b70d 42467->42469 42468 6a7b74c 42468->42462 42469->42468 42470 6a7b950 GetModuleHandleW 42469->42470 42471 6a7b97d 42470->42471 42471->42462 42472 6a7d8f0 42473 6a7d958 CreateWindowExW 42472->42473 42475 6a7da14 42473->42475 42475->42475 42476 6a73210 42477 6a73256 GetCurrentProcess 42476->42477 42479 6a732a8 GetCurrentThread 42477->42479 42482 6a732a1 42477->42482 42480 6a732e5 GetCurrentProcess 42479->42480 42481 6a732de 42479->42481 42483 6a7331b 42480->42483 42481->42480 42482->42479 42484 6a73343 GetCurrentThreadId 42483->42484 42485 6a73374 42484->42485 42486 6a73458 DuplicateHandle 42487 6a734ee 42486->42487

                    Executed Functions

                    Function 06A92380 Relevance: 9.0, Strings: 6, Instructions: 1518COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-3723351465
                    • Opcode ID: 6a7a35f58589325222d029d4ea1e21021a9d5efef82ce99d223270e511770635
                    • Instruction ID: 7edeb5c250fcf0196a9d6b52e7eabcfa227a991175c849b592ebe9803f223f16
                    • Opcode Fuzzy Hash: 6a7a35f58589325222d029d4ea1e21021a9d5efef82ce99d223270e511770635
                    • Instruction Fuzzy Hash: 99E23734A102198FDF64EF68C584B9DB7F2FF89300F6485A9E409AB265DB34ED85CB50
                    Function 06A9B300 Relevance: 8.3, Strings: 6, Instructions: 760COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-3723351465
                    • Opcode ID: 0cccaf3de4c0ce20049a0346d342d23173d0cb6891292071f84f5e5ee2435b24
                    • Instruction ID: 128fffd3fac4a0302f23c54eda17ca87fc67d6e7d099bd28059cc415af66fb5f
                    • Opcode Fuzzy Hash: 0cccaf3de4c0ce20049a0346d342d23173d0cb6891292071f84f5e5ee2435b24
                    • Instruction Fuzzy Hash: C1524E30E102098FDF64EB69E5907AEB7F6EB89310F208925E405DB695DB34EC45CBB1
                    Function 06A97E40 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2393 6a97e40-6a97e5e 2394 6a97e60-6a97e63 2393->2394 2395 6a97e65-6a97e7f 2394->2395 2396 6a97e84-6a97e87 2394->2396 2395->2396 2397 6a97e89-6a97ea5 2396->2397 2398 6a97eaa-6a97ead 2396->2398 2397->2398 2400 6a97eaf-6a97ebd 2398->2400 2401 6a97ec4-6a97ec7 2398->2401 2409 6a97ebf 2400->2409 2410 6a97ee6-6a97efc 2400->2410 2402 6a97ec9-6a97ed3 2401->2402 2403 6a97ed4-6a97ed6 2401->2403 2406 6a97ed8 2403->2406 2407 6a97edd-6a97ee0 2403->2407 2406->2407 2407->2394 2407->2410 2409->2401 2413 6a97f02-6a97f0b 2410->2413 2414 6a98117-6a98121 2410->2414 2415 6a97f11-6a97f2e 2413->2415 2416 6a98122-6a98157 2413->2416 2423 6a98104-6a98111 2415->2423 2424 6a97f34-6a97f5c 2415->2424 2419 6a98159-6a9815c 2416->2419 2421 6a98391-6a98394 2419->2421 2422 6a98162-6a98171 2419->2422 2425 6a983b7-6a983ba 2421->2425 2426 6a98396-6a983b2 2421->2426 2434 6a98190-6a981d4 2422->2434 2435 6a98173-6a9818e 2422->2435 2423->2413 2423->2414 2424->2423 2448 6a97f62-6a97f6b 2424->2448 2428 6a983c0-6a983cc 2425->2428 2429 6a98465-6a98467 2425->2429 2426->2425 2437 6a983d7-6a983d9 2428->2437 2430 6a98469 2429->2430 2431 6a9846e-6a98471 2429->2431 2430->2431 2431->2419 2436 6a98477-6a98480 2431->2436 2446 6a981da-6a981eb 2434->2446 2447 6a98365-6a9837b 2434->2447 2435->2434 2441 6a983db-6a983e1 2437->2441 2442 6a983f1-6a983f5 2437->2442 2449 6a983e3 2441->2449 2450 6a983e5-6a983e7 2441->2450 2444 6a98403 2442->2444 2445 6a983f7-6a98401 2442->2445 2451 6a98408-6a9840a 2444->2451 2445->2451 2458 6a981f1-6a9820e 2446->2458 2459 6a98350-6a9835f 2446->2459 2447->2421 2448->2416 2452 6a97f71-6a97f8d 2448->2452 2449->2442 2450->2442 2455 6a9841b-6a98454 2451->2455 2456 6a9840c-6a9840f 2451->2456 2463 6a97f93-6a97fbd 2452->2463 2464 6a980f2-6a980fe 2452->2464 2455->2422 2476 6a9845a-6a98464 2455->2476 2456->2436 2458->2459 2470 6a98214-6a9830a call 6a96670 2458->2470 2459->2446 2459->2447 2477 6a980e8-6a980ed 2463->2477 2478 6a97fc3-6a97feb 2463->2478 2464->2423 2464->2448 2526 6a98318 2470->2526 2527 6a9830c-6a98316 2470->2527 2477->2464 2478->2477 2485 6a97ff1-6a9801f 2478->2485 2485->2477 2490 6a98025-6a9802e 2485->2490 2490->2477 2492 6a98034-6a98066 2490->2492 2499 6a98068-6a9806c 2492->2499 2500 6a98071-6a9808d 2492->2500 2499->2477 2501 6a9806e 2499->2501 2500->2464 2502 6a9808f-6a980e6 call 6a96670 2500->2502 2501->2500 2502->2464 2528 6a9831d-6a9831f 2526->2528 2527->2528 2528->2459 2529 6a98321-6a98326 2528->2529 2530 6a98328-6a98332 2529->2530 2531 6a98334 2529->2531 2532 6a98339-6a9833b 2530->2532 2531->2532 2532->2459 2533 6a9833d-6a98349 2532->2533 2533->2459
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q
                    • API String ID: 0-127220927
                    • Opcode ID: e389e0f5488e379eb85de0510f290a2a303f6d616c47a27bcf4d018afd02b657
                    • Instruction ID: cf9ddfa533d0e94e4a61844705b129c0d8311eaf5ea037bd33a4270ff3ce2228
                    • Opcode Fuzzy Hash: e389e0f5488e379eb85de0510f290a2a303f6d616c47a27bcf4d018afd02b657
                    • Instruction Fuzzy Hash: 6B029D30B002158FCF54EB69D590A6EB7E6FF85304F248929E409DB395DB39EC46CBA1
                    Function 06A966C0 Relevance: .8, Instructions: 810COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e89b45a070110c3b45e9c722fe51f7e4d01d97b50b5ed941a230ec405ca7a883
                    • Instruction ID: 1be167ba5c458890525e63a242a86cc2b02915b8662e1789e6731f41151292ea
                    • Opcode Fuzzy Hash: e89b45a070110c3b45e9c722fe51f7e4d01d97b50b5ed941a230ec405ca7a883
                    • Instruction Fuzzy Hash: 1562AF34A102148FEF54EB68D994BADB7F2EF84314F248429E406DB395DB35EC46CBA0
                    Function 06A9C240 Relevance: .6, Instructions: 636COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c81f55da7c9d6ba42491645b01bff1865eed88f37b789dd355e9c48faa879452
                    • Instruction ID: d941b5eb4d318983b95dcda891045ebf2656fee8a86539ed7e57552b8fd64e09
                    • Opcode Fuzzy Hash: c81f55da7c9d6ba42491645b01bff1865eed88f37b789dd355e9c48faa879452
                    • Instruction Fuzzy Hash: EE327034B006198FDF54EB69D980AADB7F6FB88320F208525E406DB355DB35EC46CBA1
                    Function 06A956A0 Relevance: .6, Instructions: 585COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3e98bca506a662eef34134834de65150b4664cf174283ece5e0945fb772f090
                    • Instruction ID: 5eaad3fe5fb57670e7f059de1166d9390e93a45566f934127a5521fa1bacbb5a
                    • Opcode Fuzzy Hash: c3e98bca506a662eef34134834de65150b4664cf174283ece5e0945fb772f090
                    • Instruction Fuzzy Hash: 4512E231F102159BDF65EF64D88166EB7F2EB84310F248829E81A9F345DB34ED46CBA1
                    Function 06A9AD98 Relevance: 10.4, Strings: 8, Instructions: 398COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 526 6a9ad98-6a9adb6 527 6a9adb8-6a9adbb 526->527 528 6a9adbd-6a9add9 527->528 529 6a9adde-6a9ade1 527->529 528->529 530 6a9ade3-6a9adf0 529->530 531 6a9adf5-6a9adf8 529->531 530->531 533 6a9adfe-6a9ae01 531->533 534 6a9afb5-6a9afbe 531->534 535 6a9ae03-6a9ae0c 533->535 538 6a9ae1b-6a9ae1e 533->538 534->535 536 6a9afc4-6a9afce 534->536 542 6a9afcf-6a9afd9 535->542 543 6a9ae12-6a9ae16 535->543 539 6a9ae28-6a9ae2b 538->539 540 6a9ae20-6a9ae25 538->540 544 6a9ae2d-6a9ae31 539->544 545 6a9ae3c-6a9ae3f 539->545 540->539 550 6a9af89-6a9afa4 542->550 551 6a9afdb-6a9b006 542->551 543->538 544->536 547 6a9ae37 544->547 548 6a9ae4f-6a9ae52 545->548 549 6a9ae41-6a9ae4a 545->549 547->545 552 6a9ae6c-6a9ae6e 548->552 553 6a9ae54-6a9ae67 548->553 549->548 569 6a9afab 550->569 554 6a9b008-6a9b00b 551->554 555 6a9ae70 552->555 556 6a9ae75-6a9ae78 552->556 553->552 557 6a9b018-6a9b01b 554->557 558 6a9b00d-6a9b017 554->558 555->556 556->527 561 6a9ae7e-6a9aea2 556->561 562 6a9b02a-6a9b02d 557->562 563 6a9b01d 557->563 577 6a9afb2 561->577 578 6a9aea8-6a9aeb7 561->578 564 6a9b02f-6a9b04b 562->564 565 6a9b050-6a9b053 562->565 653 6a9b01d call 6a9b2f0 563->653 654 6a9b01d call 6a9b300 563->654 564->565 570 6a9b060-6a9b063 565->570 571 6a9b055-6a9b059 565->571 568 6a9b023-6a9b025 568->562 569->577 572 6a9b069-6a9b0a4 570->572 575 6a9b2cc-6a9b2ce 570->575 571->572 573 6a9b05b 571->573 585 6a9b0aa-6a9b0b6 572->585 586 6a9b297-6a9b2aa 572->586 573->570 579 6a9b2d0 575->579 580 6a9b2d5-6a9b2d8 575->580 577->534 587 6a9aeb9-6a9aebf 578->587 588 6a9aecf-6a9af0a call 6a96670 578->588 579->580 580->554 582 6a9b2de-6a9b2e8 580->582 593 6a9b0b8-6a9b0d1 585->593 594 6a9b0d6-6a9b11a 585->594 589 6a9b2ac 586->589 590 6a9aec1 587->590 591 6a9aec3-6a9aec5 587->591 605 6a9af0c-6a9af12 588->605 606 6a9af22-6a9af39 588->606 589->575 590->588 591->588 593->589 610 6a9b11c-6a9b12e 594->610 611 6a9b136-6a9b175 594->611 608 6a9af14 605->608 609 6a9af16-6a9af18 605->609 616 6a9af3b-6a9af41 606->616 617 6a9af51-6a9af62 606->617 608->606 609->606 610->611 618 6a9b17b-6a9b256 call 6a96670 611->618 619 6a9b25c-6a9b271 611->619 622 6a9af43 616->622 623 6a9af45-6a9af47 616->623 627 6a9af7a-6a9afa4 617->627 628 6a9af64-6a9af6a 617->628 618->619 619->586 622->617 623->617 627->569 630 6a9af6c 628->630 631 6a9af6e-6a9af70 628->631 630->627 631->627 653->568 654->568
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-1273862796
                    • Opcode ID: ef844418779a4ee512e7c903d4f2ae4dcab8c3d800adf1d812238c06f01ff7d4
                    • Instruction ID: a6cdae7ca6fd6fd7164bd627b3687fa760c830f9c66df174c14390d9ee0601fc
                    • Opcode Fuzzy Hash: ef844418779a4ee512e7c903d4f2ae4dcab8c3d800adf1d812238c06f01ff7d4
                    • Instruction Fuzzy Hash: AFE18130E102198FCF68EF69D5806AEB7F6FF85304F20852AE5099B355DB35D846CBA1
                    Function 06A7320A Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1386 6a7320a-6a7329f GetCurrentProcess 1390 6a732a1-6a732a7 1386->1390 1391 6a732a8-6a732dc GetCurrentThread 1386->1391 1390->1391 1392 6a732e5-6a73319 GetCurrentProcess 1391->1392 1393 6a732de-6a732e4 1391->1393 1395 6a73322-6a7333d call 6a733e0 1392->1395 1396 6a7331b-6a73321 1392->1396 1393->1392 1399 6a73343-6a73372 GetCurrentThreadId 1395->1399 1396->1395 1400 6a73374-6a7337a 1399->1400 1401 6a7337b-6a733dd 1399->1401 1400->1401
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 06A7328E
                    • GetCurrentThread.KERNEL32 ref: 06A732CB
                    • GetCurrentProcess.KERNEL32 ref: 06A73308
                    • GetCurrentThreadId.KERNEL32 ref: 06A73361
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: aaf25d5541c395a904613751416cc86df995c669ffd53f356a5c62405a9eefe6
                    • Instruction ID: 2f01d15411492c3a1cfecca0b8037880b6272f57c5288f1ccba8308efa196678
                    • Opcode Fuzzy Hash: aaf25d5541c395a904613751416cc86df995c669ffd53f356a5c62405a9eefe6
                    • Instruction Fuzzy Hash: 445146B09002498FDB55EFA9D948BEEBBF1FF48304F248459E419A7360D738A944CB65
                    Function 06A73210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1408 6a73210-6a7329f GetCurrentProcess 1412 6a732a1-6a732a7 1408->1412 1413 6a732a8-6a732dc GetCurrentThread 1408->1413 1412->1413 1414 6a732e5-6a73319 GetCurrentProcess 1413->1414 1415 6a732de-6a732e4 1413->1415 1417 6a73322-6a7333d call 6a733e0 1414->1417 1418 6a7331b-6a73321 1414->1418 1415->1414 1421 6a73343-6a73372 GetCurrentThreadId 1417->1421 1418->1417 1422 6a73374-6a7337a 1421->1422 1423 6a7337b-6a733dd 1421->1423 1422->1423
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 06A7328E
                    • GetCurrentThread.KERNEL32 ref: 06A732CB
                    • GetCurrentProcess.KERNEL32 ref: 06A73308
                    • GetCurrentThreadId.KERNEL32 ref: 06A73361
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 2ccdf4fdcc3ca84834a755b94b4148e2c4a8d4b1a780d1414996ec877bf19f4c
                    • Instruction ID: 224d1350685adce92d4c3a38041642918233f2529f719c3fce80dc17d7fe5624
                    • Opcode Fuzzy Hash: 2ccdf4fdcc3ca84834a755b94b4148e2c4a8d4b1a780d1414996ec877bf19f4c
                    • Instruction Fuzzy Hash: 275147B09003498FDB54EFAAD948BEEBBF5FF48304F208459E419A7350D739A944CBA5
                    Function 06A99210 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1430 6a99210-6a99235 1431 6a99237-6a9923a 1430->1431 1432 6a9923c-6a9925b 1431->1432 1433 6a99260-6a99263 1431->1433 1432->1433 1434 6a99269-6a9927e 1433->1434 1435 6a99b23-6a99b25 1433->1435 1442 6a99280-6a99286 1434->1442 1443 6a99296-6a992ac 1434->1443 1437 6a99b2c-6a99b2f 1435->1437 1438 6a99b27 1435->1438 1437->1431 1440 6a99b35-6a99b3f 1437->1440 1438->1437 1444 6a99288 1442->1444 1445 6a9928a-6a9928c 1442->1445 1447 6a992b7-6a992b9 1443->1447 1444->1443 1445->1443 1448 6a992bb-6a992c1 1447->1448 1449 6a992d1-6a99342 1447->1449 1450 6a992c3 1448->1450 1451 6a992c5-6a992c7 1448->1451 1460 6a9936e-6a9938a 1449->1460 1461 6a99344-6a99367 1449->1461 1450->1449 1451->1449 1466 6a9938c-6a993af 1460->1466 1467 6a993b6-6a993d1 1460->1467 1461->1460 1466->1467 1472 6a993fc-6a99417 1467->1472 1473 6a993d3-6a993f5 1467->1473 1478 6a99419-6a9943b 1472->1478 1479 6a99442-6a9944c 1472->1479 1473->1472 1478->1479 1480 6a9945c-6a994d6 1479->1480 1481 6a9944e-6a99457 1479->1481 1487 6a994d8-6a994f6 1480->1487 1488 6a99523-6a99538 1480->1488 1481->1440 1492 6a994f8-6a99507 1487->1492 1493 6a99512-6a99521 1487->1493 1488->1435 1492->1493 1493->1487 1493->1488
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q
                    • API String ID: 0-858218434
                    • Opcode ID: 06de9620a8a445986808e0db2e148f45bcd95ce0f360f2afe2dee5b3599b5765
                    • Instruction ID: 8c72959ddada261b0cadb8b6efffe753ba290c2827e49cc86d97d2b5456ebe1b
                    • Opcode Fuzzy Hash: 06de9620a8a445986808e0db2e148f45bcd95ce0f360f2afe2dee5b3599b5765
                    • Instruction Fuzzy Hash: 0F913C30B0061A9BDF54EB69D850BAFB3F6BF85304F248569D409AB345EF30AD468B91
                    Function 06A9D008 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1496 6a9d008-6a9d023 1497 6a9d025-6a9d028 1496->1497 1498 6a9d02a-6a9d06c 1497->1498 1499 6a9d071-6a9d074 1497->1499 1498->1499 1500 6a9d0bd-6a9d0c0 1499->1500 1501 6a9d076-6a9d0b8 1499->1501 1502 6a9d0cf-6a9d0d2 1500->1502 1503 6a9d0c2-6a9d0c4 1500->1503 1501->1500 1507 6a9d11b-6a9d11e 1502->1507 1508 6a9d0d4-6a9d0e3 1502->1508 1505 6a9d0ca 1503->1505 1506 6a9d3af-6a9d3b8 1503->1506 1505->1502 1513 6a9d3ba-6a9d3bf 1506->1513 1514 6a9d3c7-6a9d3d3 1506->1514 1510 6a9d120-6a9d162 1507->1510 1511 6a9d167-6a9d16a 1507->1511 1515 6a9d0f2-6a9d0fe 1508->1515 1516 6a9d0e5-6a9d0ea 1508->1516 1510->1511 1519 6a9d16c-6a9d171 1511->1519 1520 6a9d174-6a9d177 1511->1520 1513->1514 1517 6a9d3d9-6a9d3ed 1514->1517 1518 6a9d4e4-6a9d4e9 1514->1518 1521 6a9da25-6a9da5e 1515->1521 1522 6a9d104-6a9d116 1515->1522 1516->1515 1537 6a9d4f1 1517->1537 1541 6a9d3f3-6a9d405 1517->1541 1518->1537 1519->1520 1526 6a9d179-6a9d1bb 1520->1526 1527 6a9d1c0-6a9d1c3 1520->1527 1542 6a9da60-6a9da63 1521->1542 1522->1507 1526->1527 1529 6a9d1e0-6a9d1e3 1527->1529 1530 6a9d1c5-6a9d1db 1527->1530 1535 6a9d22c-6a9d22f 1529->1535 1536 6a9d1e5-6a9d227 1529->1536 1530->1529 1546 6a9d235-6a9d238 1535->1546 1547 6a9d4f4-6a9d500 1535->1547 1536->1535 1537->1547 1566 6a9d429-6a9d42b 1541->1566 1567 6a9d407-6a9d40d 1541->1567 1543 6a9da72-6a9da75 1542->1543 1544 6a9da65 call 6a9db7d 1542->1544 1551 6a9da98-6a9da9b 1543->1551 1552 6a9da77-6a9da93 1543->1552 1559 6a9da6b-6a9da6d 1544->1559 1555 6a9d23a-6a9d27c 1546->1555 1556 6a9d281-6a9d284 1546->1556 1547->1508 1558 6a9d506-6a9d7f3 1547->1558 1563 6a9da9d-6a9dac9 1551->1563 1564 6a9dace-6a9dad0 1551->1564 1552->1551 1555->1556 1561 6a9d2cd-6a9d2d0 1556->1561 1562 6a9d286-6a9d2c8 1556->1562 1708 6a9d7f9-6a9d7ff 1558->1708 1709 6a9da1a-6a9da24 1558->1709 1559->1543 1575 6a9d2f3-6a9d2f6 1561->1575 1576 6a9d2d2-6a9d2ee 1561->1576 1562->1561 1563->1564 1572 6a9dad2 1564->1572 1573 6a9dad7-6a9dada 1564->1573 1569 6a9d435-6a9d441 1566->1569 1579 6a9d40f 1567->1579 1580 6a9d411-6a9d41d 1567->1580 1598 6a9d44f 1569->1598 1599 6a9d443-6a9d44d 1569->1599 1572->1573 1573->1542 1583 6a9dadc-6a9daeb 1573->1583 1584 6a9d2f8-6a9d33a 1575->1584 1585 6a9d33f-6a9d342 1575->1585 1576->1575 1581 6a9d41f-6a9d427 1579->1581 1580->1581 1581->1569 1612 6a9daed-6a9db50 call 6a96670 1583->1612 1613 6a9db52-6a9db67 1583->1613 1584->1585 1590 6a9d351-6a9d354 1585->1590 1591 6a9d344-6a9d346 1585->1591 1601 6a9d39d-6a9d39f 1590->1601 1602 6a9d356-6a9d365 1590->1602 1591->1537 1600 6a9d34c 1591->1600 1608 6a9d454-6a9d456 1598->1608 1599->1608 1600->1590 1614 6a9d3a1 1601->1614 1615 6a9d3a6-6a9d3a9 1601->1615 1610 6a9d374-6a9d380 1602->1610 1611 6a9d367-6a9d36c 1602->1611 1608->1537 1619 6a9d45c-6a9d478 call 6a96670 1608->1619 1610->1521 1620 6a9d386-6a9d398 1610->1620 1611->1610 1612->1613 1614->1615 1615->1497 1615->1506 1640 6a9d47a-6a9d47f 1619->1640 1641 6a9d487-6a9d493 1619->1641 1620->1601 1640->1641 1641->1518 1644 6a9d495-6a9d4e2 1641->1644 1644->1537 1710 6a9d80e-6a9d817 1708->1710 1711 6a9d801-6a9d806 1708->1711 1710->1521 1712 6a9d81d-6a9d830 1710->1712 1711->1710 1714 6a9da0a-6a9da14 1712->1714 1715 6a9d836-6a9d83c 1712->1715 1714->1708 1714->1709 1716 6a9d84b-6a9d854 1715->1716 1717 6a9d83e-6a9d843 1715->1717 1716->1521 1718 6a9d85a-6a9d87b 1716->1718 1717->1716 1721 6a9d88a-6a9d893 1718->1721 1722 6a9d87d-6a9d882 1718->1722 1721->1521 1723 6a9d899-6a9d8b6 1721->1723 1722->1721 1723->1714 1726 6a9d8bc-6a9d8c2 1723->1726 1726->1521 1727 6a9d8c8-6a9d8e1 1726->1727 1729 6a9d9fd-6a9da04 1727->1729 1730 6a9d8e7-6a9d90e 1727->1730 1729->1714 1729->1726 1730->1521 1733 6a9d914-6a9d91e 1730->1733 1733->1521 1734 6a9d924-6a9d93b 1733->1734 1736 6a9d94a-6a9d965 1734->1736 1737 6a9d93d-6a9d948 1734->1737 1736->1729 1742 6a9d96b-6a9d984 call 6a96670 1736->1742 1737->1736 1746 6a9d993-6a9d99c 1742->1746 1747 6a9d986-6a9d98b 1742->1747 1746->1521 1748 6a9d9a2-6a9d9f6 1746->1748 1747->1746 1748->1729
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q
                    • API String ID: 0-182748909
                    • Opcode ID: 1d680c87bd473fc168d44c9f47ea75f97971b033ab7c5992a3e573be46696f14
                    • Instruction ID: d7bd8464187ea5add2ff5d15541cbef2f84fd587ed0e542b483315f1cad5c228
                    • Opcode Fuzzy Hash: 1d680c87bd473fc168d44c9f47ea75f97971b033ab7c5992a3e573be46696f14
                    • Instruction Fuzzy Hash: F9624E34A006198FCF55EF69E580A5EB7F6FF84304B208A29D0099F369DB75ED46CB90
                    Function 06A94C68 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1756 6a94c68-6a94c8c 1757 6a94c8e-6a94c91 1756->1757 1758 6a94c93-6a94cad 1757->1758 1759 6a94cb2-6a94cb5 1757->1759 1758->1759 1760 6a94cbb-6a94db3 1759->1760 1761 6a95394-6a95396 1759->1761 1779 6a94db9-6a94e01 1760->1779 1780 6a94e36-6a94e3d 1760->1780 1763 6a95398 1761->1763 1764 6a9539d-6a953a0 1761->1764 1763->1764 1764->1757 1765 6a953a6-6a953b3 1764->1765 1801 6a94e06 call 6a95511 1779->1801 1802 6a94e06 call 6a95520 1779->1802 1781 6a94ec1-6a94eca 1780->1781 1782 6a94e43-6a94eb3 1780->1782 1781->1765 1799 6a94ebe 1782->1799 1800 6a94eb5 1782->1800 1793 6a94e0c-6a94e28 1797 6a94e2a 1793->1797 1798 6a94e33 1793->1798 1797->1798 1798->1780 1799->1781 1800->1799 1801->1793 1802->1793
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: fbq$XPbq$\Obq
                    • API String ID: 0-4057264190
                    • Opcode ID: ee44fe69b324dc49da40f6222e57d89a2fde04add4eaa0499cc22e553de6be04
                    • Instruction ID: 746030a6f30ce28dae746f9656ed948356fba582c80b9dc85906ddae8749b657
                    • Opcode Fuzzy Hash: ee44fe69b324dc49da40f6222e57d89a2fde04add4eaa0499cc22e553de6be04
                    • Instruction Fuzzy Hash: EB616430E002199FDF54AFA5C8557AEBBF6FF88300F208429E106AB395DF754D468BA1
                    Function 06A99200 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2635 6a99200-6a99235 2637 6a99237-6a9923a 2635->2637 2638 6a9923c-6a9925b 2637->2638 2639 6a99260-6a99263 2637->2639 2638->2639 2640 6a99269-6a9927e 2639->2640 2641 6a99b23-6a99b25 2639->2641 2648 6a99280-6a99286 2640->2648 2649 6a99296-6a992ac 2640->2649 2643 6a99b2c-6a99b2f 2641->2643 2644 6a99b27 2641->2644 2643->2637 2646 6a99b35-6a99b3f 2643->2646 2644->2643 2650 6a99288 2648->2650 2651 6a9928a-6a9928c 2648->2651 2653 6a992b7-6a992b9 2649->2653 2650->2649 2651->2649 2654 6a992bb-6a992c1 2653->2654 2655 6a992d1-6a99342 2653->2655 2656 6a992c3 2654->2656 2657 6a992c5-6a992c7 2654->2657 2666 6a9936e-6a9938a 2655->2666 2667 6a99344-6a99367 2655->2667 2656->2655 2657->2655 2672 6a9938c-6a993af 2666->2672 2673 6a993b6-6a993d1 2666->2673 2667->2666 2672->2673 2678 6a993fc-6a99417 2673->2678 2679 6a993d3-6a993f5 2673->2679 2684 6a99419-6a9943b 2678->2684 2685 6a99442-6a9944c 2678->2685 2679->2678 2684->2685 2686 6a9945c-6a994d6 2685->2686 2687 6a9944e-6a99457 2685->2687 2693 6a994d8-6a994f6 2686->2693 2694 6a99523-6a99538 2686->2694 2687->2646 2698 6a994f8-6a99507 2693->2698 2699 6a99512-6a99521 2693->2699 2694->2641 2698->2699 2699->2693 2699->2694
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q
                    • API String ID: 0-127220927
                    • Opcode ID: 077ff96da05eeccc9c6f88f2c175e79bdd7a6761a2c6830042fe778c98919f5b
                    • Instruction ID: 5c4ce502b7a9a318e81c10acd33f99becae660222c24d9263130213fa48dae82
                    • Opcode Fuzzy Hash: 077ff96da05eeccc9c6f88f2c175e79bdd7a6761a2c6830042fe778c98919f5b
                    • Instruction Fuzzy Hash: A2514F30B005199FDF54EB79D850B6E73F6BB89304F148569D409DB389EF30AD468B91
                    Function 06A94C59 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2702 6a94c59-6a94c8c 2703 6a94c8e-6a94c91 2702->2703 2704 6a94c93-6a94cad 2703->2704 2705 6a94cb2-6a94cb5 2703->2705 2704->2705 2706 6a94cbb-6a94db3 2705->2706 2707 6a95394-6a95396 2705->2707 2725 6a94db9-6a94e01 2706->2725 2726 6a94e36-6a94e3d 2706->2726 2709 6a95398 2707->2709 2710 6a9539d-6a953a0 2707->2710 2709->2710 2710->2703 2711 6a953a6-6a953b3 2710->2711 2747 6a94e06 call 6a95511 2725->2747 2748 6a94e06 call 6a95520 2725->2748 2727 6a94ec1-6a94eca 2726->2727 2728 6a94e43-6a94eb3 2726->2728 2727->2711 2745 6a94ebe 2728->2745 2746 6a94eb5 2728->2746 2739 6a94e0c-6a94e28 2743 6a94e2a 2739->2743 2744 6a94e33 2739->2744 2743->2744 2744->2726 2745->2727 2746->2745 2747->2739 2748->2739
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: fbq$XPbq
                    • API String ID: 0-2292610095
                    • Opcode ID: 4a2a444c56ff263db5fd0562a776a02821e9440a8c5c4fe389a9c962fa153aca
                    • Instruction ID: de2fa402de19986991b4598c9cdaa0970e06e5910451fc4414f390e548924bd0
                    • Opcode Fuzzy Hash: 4a2a444c56ff263db5fd0562a776a02821e9440a8c5c4fe389a9c962fa153aca
                    • Instruction Fuzzy Hash: 3A516130F002199FDF549FA5C855BAEBAF6FF88700F208529E106AB395DF749C069B91
                    Function 06A7B708 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2774 6a7b708-6a7b727 2776 6a7b753-6a7b757 2774->2776 2777 6a7b729-6a7b736 call 6a7a6ac 2774->2777 2778 6a7b76b-6a7b7ac 2776->2778 2779 6a7b759-6a7b763 2776->2779 2782 6a7b74c 2777->2782 2783 6a7b738 2777->2783 2786 6a7b7ae-6a7b7b6 2778->2786 2787 6a7b7b9-6a7b7c7 2778->2787 2779->2778 2782->2776 2831 6a7b73e call 6a7b9a2 2783->2831 2832 6a7b73e call 6a7b9b0 2783->2832 2786->2787 2789 6a7b7eb-6a7b7ed 2787->2789 2790 6a7b7c9-6a7b7ce 2787->2790 2788 6a7b744-6a7b746 2788->2782 2793 6a7b888-6a7b948 2788->2793 2794 6a7b7f0-6a7b7f7 2789->2794 2791 6a7b7d0-6a7b7d7 call 6a7a6b8 2790->2791 2792 6a7b7d9 2790->2792 2796 6a7b7db-6a7b7e9 2791->2796 2792->2796 2826 6a7b950-6a7b97b GetModuleHandleW 2793->2826 2827 6a7b94a-6a7b94d 2793->2827 2797 6a7b804-6a7b80b 2794->2797 2798 6a7b7f9-6a7b801 2794->2798 2796->2794 2800 6a7b80d-6a7b815 2797->2800 2801 6a7b818-6a7b821 call 6a73d3c 2797->2801 2798->2797 2800->2801 2806 6a7b823-6a7b82b 2801->2806 2807 6a7b82e-6a7b833 2801->2807 2806->2807 2809 6a7b835-6a7b83c 2807->2809 2810 6a7b851-6a7b855 2807->2810 2809->2810 2811 6a7b83e-6a7b84e call 6a78ef8 call 6a7a6c8 2809->2811 2833 6a7b858 call 6a7bc60 2810->2833 2834 6a7b858 call 6a7bc70 2810->2834 2811->2810 2814 6a7b85b-6a7b85e 2816 6a7b881-6a7b887 2814->2816 2817 6a7b860-6a7b87e 2814->2817 2817->2816 2828 6a7b984-6a7b998 2826->2828 2829 6a7b97d-6a7b983 2826->2829 2827->2826 2829->2828 2831->2788 2832->2788 2833->2814 2834->2814
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06A7B96E
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 01b9e92abe7f24c9e666c7e232473989828a8eb25fa452e2b3a1c58ca77cd105
                    • Instruction ID: 06f4935cc56f7496318c1fc0df53a1ee416cd3aa38ec5ed90c73f2b2d753c85b
                    • Opcode Fuzzy Hash: 01b9e92abe7f24c9e666c7e232473989828a8eb25fa452e2b3a1c58ca77cd105
                    • Instruction Fuzzy Hash: AC8138B0A00B058FD7A4EF29D94479ABBF1FF48300F00892ED49ADBA51D735E945CBA1
                    Function 06A7D8E4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A7DA02
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: b661787dab19d15c92c8e64212523958ed15ac9f3ffa1ad5c5c7423269648cff
                    • Instruction ID: 6f5c985d641829b9d52858e42d633f17093d5c322e38ce145e0203965ee5beed
                    • Opcode Fuzzy Hash: b661787dab19d15c92c8e64212523958ed15ac9f3ffa1ad5c5c7423269648cff
                    • Instruction Fuzzy Hash: E351C0B1D00349EFDB14DF99C884ADEBFB5BF48310F24812AE819AB210D775A885CF90
                    Function 06A7D8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A7DA02
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 866a3886c1fe606271553dac948001f4124d4a5d9480c946e14565829ea2e47d
                    • Instruction ID: 9e8007dbc8ca225083c58e4811bb037dadc688571a859bde601b486a02f5c8a6
                    • Opcode Fuzzy Hash: 866a3886c1fe606271553dac948001f4124d4a5d9480c946e14565829ea2e47d
                    • Instruction Fuzzy Hash: 7941BFB1D10349DFDB14DF9AC884ADEBFB5BF49310F24812AE819AB210D775A985CF90
                    Function 06A73450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A734DF
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 50f06663052d0300982c865c145cae802eaad26bc69d82109f2dce09bb38cf41
                    • Instruction ID: f79222448c4ca724467dc408557616fe48bbf07c734dcf8d80316a414c73b94c
                    • Opcode Fuzzy Hash: 50f06663052d0300982c865c145cae802eaad26bc69d82109f2dce09bb38cf41
                    • Instruction Fuzzy Hash: 3B2103B5C002089FDB10CFAAD984ADEBBF8EF48310F14801AE918A3210D379A940DFA1
                    Function 06A73458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A734DF
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 526443da161c53004732c469ccfaf90d1a7d716c74afb9c98f053e0e61fabdf6
                    • Instruction ID: ff64b9ce2d07667898be3f0b3c53d4a01f6af979b675c40e0743e5c8d301972f
                    • Opcode Fuzzy Hash: 526443da161c53004732c469ccfaf90d1a7d716c74afb9c98f053e0e61fabdf6
                    • Instruction Fuzzy Hash: 1B21E4B59002099FDB10DF9AD984ADEBBF8FB48310F14801AE918A3310D379A940DFA5
                    Function 00FDECC7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • GlobalMemoryStatusEx.KERNELBASE ref: 00FDED47
                    Memory Dump Source
                    • Source File: 00000003.00000002.4515648443.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_fd0000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID:
                    • API String ID: 1890195054-0
                    • Opcode ID: ba62112d9a24ae4957eaf83a6ae9093e61e6ee39bf383c30a5944a256a50eb32
                    • Instruction ID: 58d31e12acac70f0a0bbb4009b5be7d2982e0883247e3f7d28594cddb170c898
                    • Opcode Fuzzy Hash: ba62112d9a24ae4957eaf83a6ae9093e61e6ee39bf383c30a5944a256a50eb32
                    • Instruction Fuzzy Hash: FA2133B1C0065A9FCB10DFAAC5457EEFBB5AF09310F14816AD918B7241D778A944CFA1
                    Function 00FDECE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GlobalMemoryStatusEx.KERNELBASE ref: 00FDED47
                    Memory Dump Source
                    • Source File: 00000003.00000002.4515648443.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_fd0000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID:
                    • API String ID: 1890195054-0
                    • Opcode ID: c20bcf1fbc6d70caef6c1a384a6c0a2a44cd98b7f65ae922640779d18c4ae50b
                    • Instruction ID: 8baaadbb144c30bcd79a50afeec99e707b993269a0468d1fc3f13b862a99bd5a
                    • Opcode Fuzzy Hash: c20bcf1fbc6d70caef6c1a384a6c0a2a44cd98b7f65ae922640779d18c4ae50b
                    • Instruction Fuzzy Hash: 4711EFB1C0065A9BCB10DF9AC544AEEFBF5AF49320F14816AD918A7240D778A944CFA5
                    Function 06A7B908 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06A7B96E
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520498307.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a70000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: d1f09244b9def640b7c2b9b140b6390266333fb45aaff08d9e16172031021d89
                    • Instruction ID: bdfa9c38a75d104893b8e464e0f62fcf5343f0e3b4551698a27951d7bc49de7d
                    • Opcode Fuzzy Hash: d1f09244b9def640b7c2b9b140b6390266333fb45aaff08d9e16172031021d89
                    • Instruction Fuzzy Hash: E911E0B5C003498FCB10DF9AC844ADEFBF4EF99314F10842AD869A7210D379A545CFA1
                    Function 06A9DB7D Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: PH]q
                    • API String ID: 0-3168235125
                    • Opcode ID: f47fe7faeaed158019117839093a9c5cdd0df6dd66809d729727b0aa6989bab8
                    • Instruction ID: 5168fd33741763a86d981ec3c14268a7bf187fd889508b5f82921392f1337ad9
                    • Opcode Fuzzy Hash: f47fe7faeaed158019117839093a9c5cdd0df6dd66809d729727b0aa6989bab8
                    • Instruction Fuzzy Hash: 81418130E0060A9FDF54BF75D8546AEBBF2BF85300F204529D405EB244EBB4A986DBA1
                    Function 06A921E5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: PH]q
                    • API String ID: 0-3168235125
                    • Opcode ID: d74aa9c7def1bbee82555c57356a1ae7f9edd5f56274b0af77a5fedb648b0864
                    • Instruction ID: 1e6a03476ed140ead18e167a68e69bb4054a5d932616b18740ef99d60c13ffce
                    • Opcode Fuzzy Hash: d74aa9c7def1bbee82555c57356a1ae7f9edd5f56274b0af77a5fedb648b0864
                    • Instruction Fuzzy Hash: CF31C230B20205AFCF89AB74D9547AE77E2EF89204B208579D406DB395DF34DE06CBA5
                    Function 06A921F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: PH]q
                    • API String ID: 0-3168235125
                    • Opcode ID: aeef44e8576670d8348130dae6137cbff0ac905c248838f81eedde98d6f68d26
                    • Instruction ID: 9441a217750b3789362b974fa68e8471a4cdaa6ac20f0aa6bca9f85ea69345cb
                    • Opcode Fuzzy Hash: aeef44e8576670d8348130dae6137cbff0ac905c248838f81eedde98d6f68d26
                    • Instruction Fuzzy Hash: 3931CF30B20205AFDF88AB74D95476E7BE6AF89204F208578D406DB395DF34DE06C7A5
                    Function 06A98390 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q
                    • API String ID: 0-1007455737
                    • Opcode ID: cf17d88ceadf7739fb7af2a47eb653a3163ddc0bc2ad5a1f149934bdfc12ab4e
                    • Instruction ID: 12862e374e83f1ceafa9b5fbe9a2fda711ac55214d8d7732ec8fe4d7b52d15fa
                    • Opcode Fuzzy Hash: cf17d88ceadf7739fb7af2a47eb653a3163ddc0bc2ad5a1f149934bdfc12ab4e
                    • Instruction Fuzzy Hash: 4CF0A431B001158FDF64AF59E980579B7F8EF82314F244966E905CB245D739D906CBA1
                    Function 06A9B2F0 Relevance: .3, Instructions: 292COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c09ea07840a7bc1dfd16034e5be044f1fd1f088b96279c014003aecd04febce1
                    • Instruction ID: ed0ba5cde6250d80913b311e244bf59a2f394c610c9291a83d2555024c8fe096
                    • Opcode Fuzzy Hash: c09ea07840a7bc1dfd16034e5be044f1fd1f088b96279c014003aecd04febce1
                    • Instruction Fuzzy Hash: 9FA14370E101199FEF64EB6DE9907AF76E6EB89310F304825E405DB395CA38DC819B72
                    Function 06A9B708 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bc37114074c19baa179dbc85f7b08656ff08a0e80cdcdffedfeb2ff697ad395
                    • Instruction ID: bce65256ab5605d74c991d51dc9122cef3ce57c4a0c7a87f4c34d4d5c7892d72
                    • Opcode Fuzzy Hash: 9bc37114074c19baa179dbc85f7b08656ff08a0e80cdcdffedfeb2ff697ad395
                    • Instruction Fuzzy Hash: 88A11930E1010A8BDFA4EB69E580BAEB7F2EB45314F208926E419DF651D734E885CB71
                    Function 06A962C0 Relevance: .2, Instructions: 229COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4203168483321987823a2858b23a92f85597b419e47eb29ba01e757a4cc37585
                    • Instruction ID: 70af02db6dd65deecae5b196d76b6a2cdf466fc845610a2063ab34cc6201fe53
                    • Opcode Fuzzy Hash: 4203168483321987823a2858b23a92f85597b419e47eb29ba01e757a4cc37585
                    • Instruction Fuzzy Hash: 2A619F71F000214FDF54AB7ED89055FBADAAF94220B254479E80EDB364EE79ED0287E1
                    Function 06A94399 Relevance: .2, Instructions: 222COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2284269633669d7d80c5b81b3cd0339c764b1406b09138617b2b816b15f02e8b
                    • Instruction ID: 9032d803d6fd2b2e9330c6f734ed16be5bc9b36744f610807630206c7ddf78fa
                    • Opcode Fuzzy Hash: 2284269633669d7d80c5b81b3cd0339c764b1406b09138617b2b816b15f02e8b
                    • Instruction Fuzzy Hash: 27813C30B002098BDF54EFA9C45469EB7F2EF89314F208529E50ADB395DB35EC478B92
                    Function 06A946B8 Relevance: .2, Instructions: 220COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 987380c4332360b4821449e981e80fa0bcc1d265065d8942f755850aefdaf9ec
                    • Instruction ID: 555b566acecdab9ca11c81d9c533af66c1af770a1f2ea2b3a442a58ea92a0fa7
                    • Opcode Fuzzy Hash: 987380c4332360b4821449e981e80fa0bcc1d265065d8942f755850aefdaf9ec
                    • Instruction Fuzzy Hash: 47913E30E002198FDF60DF68C890B9DB7B1FF89314F208695D549BB355EB74AA86CB91
                    Function 06A946D0 Relevance: .2, Instructions: 210COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f76428d4b44bb333e88a361562d6556aa5222a5c59ee81114af05464309d95db
                    • Instruction ID: ab2c85d61ea81e6daff67db7960c6e6ddcbf9fa9792baf5141fac251ff38e404
                    • Opcode Fuzzy Hash: f76428d4b44bb333e88a361562d6556aa5222a5c59ee81114af05464309d95db
                    • Instruction Fuzzy Hash: 15912D34E002198BDF64DF68C890B9DB7B1FF89304F208595D549BB355EB70AA86CB91
                    Function 06A9EFE8 Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5bc6bda229c50b25e11566fa0fca22428661097974c248268b6d2b5ad7931069
                    • Instruction ID: 780fc84c0df119b70c6d86d9beabb7d1c20416cd3ad14732ed13fd9fc4458995
                    • Opcode Fuzzy Hash: 5bc6bda229c50b25e11566fa0fca22428661097974c248268b6d2b5ad7931069
                    • Instruction Fuzzy Hash: EC714C70A002099FDB44EFA9D990A9DBBF6FF88304F248429E005EB355DB34ED46CB60
                    Function 06A9EFD8 Relevance: .2, Instructions: 201COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9793721bb778465572687b6e474bae991ada2f0283d6c2503f0336f32c8abded
                    • Instruction ID: d0a1f1a5a44ad647ca5e75c4d7ee1cf88b490a3a1f9baacc501d1c96b935a9b4
                    • Opcode Fuzzy Hash: 9793721bb778465572687b6e474bae991ada2f0283d6c2503f0336f32c8abded
                    • Instruction Fuzzy Hash: 5B716D74A002099FCB44EFA9C980A9DB7F6FF88300F248529E005EB355DB34EC46CB60
                    Function 06A9FC78 Relevance: .2, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1639bb0053a6615700da6477e5b4bba09d5dd1afedb5aec1ac73770d0a6243fe
                    • Instruction ID: 53feb007ee9d93b577c72d0f03b397f5c23bcc1d05642f52d31df34e4dea024c
                    • Opcode Fuzzy Hash: 1639bb0053a6615700da6477e5b4bba09d5dd1afedb5aec1ac73770d0a6243fe
                    • Instruction Fuzzy Hash: 4051DF31E001099FCF54FBB9E8446ADB7F2FF85215F20886AE00ADB351DB359946CBA1
                    Function 06A9FA18 Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 64fd1474a7c80a7ccfb5e39b31b0f99a182ca0cb068ce3ed1a07fdfe60111c70
                    • Instruction ID: 5b2921d6e5947433fb7de2301b2b4aeb6e18f3050c3de8cee382e1f5e0f815dd
                    • Opcode Fuzzy Hash: 64fd1474a7c80a7ccfb5e39b31b0f99a182ca0cb068ce3ed1a07fdfe60111c70
                    • Instruction Fuzzy Hash: 2B51C974B102149FEF647B6DD95472F26AEDB8D310F30452AE80AD7396CA6CCC4683B2
                    Function 06A9FA28 Relevance: .2, Instructions: 163COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 546ee1eefc9afee1717757cbd433f9b7fc2699d38c6f0f6efbba9426d6246c63
                    • Instruction ID: 2f8fb2b467555148aee54a88a12bbe1ac1cc05981534815333d30d9749f5d1f2
                    • Opcode Fuzzy Hash: 546ee1eefc9afee1717757cbd433f9b7fc2699d38c6f0f6efbba9426d6246c63
                    • Instruction Fuzzy Hash: B251A774B102149FEF647B6DD95472F259ED78D310F30452AE80ADB79ACA6CCC4683B2
                    Function 06A95520 Relevance: .1, Instructions: 126COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b092067298cc1e3ab3284e670d79140bf9d70096955b10e151790c3c33fde650
                    • Instruction ID: a8a7f51263fe830b5e3b3e9e7fc83b3a2fc4ea0c29c87a3ea438538bf362ca3f
                    • Opcode Fuzzy Hash: b092067298cc1e3ab3284e670d79140bf9d70096955b10e151790c3c33fde650
                    • Instruction Fuzzy Hash: 14416D71E006098BDF61DFA9D8C1AAFF7F2EB85310F20492AE256D7610D731E945CBA1
                    Function 06A920A8 Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 79c71081b25176385e4ead7ae6e3bff00380b02e2363f9a317c3a6da08725582
                    • Instruction ID: d14047fbdd4d8d5e4992e27464baaa4d920dadd2125ada3c95f791056fa116c1
                    • Opcode Fuzzy Hash: 79c71081b25176385e4ead7ae6e3bff00380b02e2363f9a317c3a6da08725582
                    • Instruction Fuzzy Hash: 5D316D35E202159BCF59EF64C85479EB7F2EF89300F20C529E916EB750DB31A946CB60
                    Function 06A920B8 Relevance: .1, Instructions: 91COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c5e653e47031dfe010d6a5d2788e8ecd998278a89b5121f1c8d7205409e1a4b
                    • Instruction ID: 5d9037ecedfe88d506a18a01d238900995f27c5439df8ce74407036c12af8b57
                    • Opcode Fuzzy Hash: 7c5e653e47031dfe010d6a5d2788e8ecd998278a89b5121f1c8d7205409e1a4b
                    • Instruction Fuzzy Hash: BC315C34E202059BCF59EF65C85479EB7F2AF89300F208529E91AEB350DB71A946CB60
                    Function 06A93B98 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d7073c80b74ed4077bfa3e0ff089303154cbe74c29b6e23e50f0baec20d29732
                    • Instruction ID: c73ddbc51174718e68d712531178e0d169156c8c2a1404c406fe917a1a6a2974
                    • Opcode Fuzzy Hash: d7073c80b74ed4077bfa3e0ff089303154cbe74c29b6e23e50f0baec20d29732
                    • Instruction Fuzzy Hash: D9219F75E00A199FDF50EF6AD880AAEB7F5AB48710F108125E905E7351E734E9018BA5
                    Function 06A93BA8 Relevance: .1, Instructions: 78COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 908e3afaf7219a661d5956f5d3cf6ffe56a7a6a192a040b0dabb0ce00908faff
                    • Instruction ID: 3f6334702f789bff7be33a536ce51232d30ac098f85c4ff082d16ab90e5d7ded
                    • Opcode Fuzzy Hash: 908e3afaf7219a661d5956f5d3cf6ffe56a7a6a192a040b0dabb0ce00908faff
                    • Instruction Fuzzy Hash: 6221B275F00A299FDF50DF6AD880AAEB7F5EB48310F104125E905E7341E730E901CBA5
                    Function 00F7D005 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4514789334.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_f7d000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c8081055b9362d6358a84170df63fd64ccbad4ebcd04f1a386069c711470ce70
                    • Instruction ID: 0d8d5e3779ccd6c34b89f9e6fa648bc4ca86f89456e497bcc323aa09e2befcf1
                    • Opcode Fuzzy Hash: c8081055b9362d6358a84170df63fd64ccbad4ebcd04f1a386069c711470ce70
                    • Instruction Fuzzy Hash: 68214D7150D3C09FCB03CB24D994711BF71AF46214F29C5EBD8898F2A7C23A980ADB62
                    Function 00F7D030 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4514789334.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_f7d000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 681abf1860a93c66faeab571cd18f49d8c20c0c3e2a1fed6f134d78c6919f3c8
                    • Instruction ID: 912abebdb85e9826e3de816fcfc86b900cc42f06b33ea9bf0bc2685f26f252a5
                    • Opcode Fuzzy Hash: 681abf1860a93c66faeab571cd18f49d8c20c0c3e2a1fed6f134d78c6919f3c8
                    • Instruction Fuzzy Hash: 0C212271504204DFCB14DF24D980F26BBB5FF84324F64C56AD80E0B29AC33AD806EA63
                    Function 06A93CB8 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc30dfe109a61be2f1553240514ac6992ed51952abd52da876811b5d48a67fcb
                    • Instruction ID: 533b7f8154369a24697da4b941b926df6c1b90165eeed4c9891707d035d7b5d6
                    • Opcode Fuzzy Hash: fc30dfe109a61be2f1553240514ac6992ed51952abd52da876811b5d48a67fcb
                    • Instruction Fuzzy Hash: AE11A136B105284BDF54E679D8246AE73F6EBC8610F10463AE40AEB344EE35DC068BE1
                    Function 06A95511 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 430fbad4661647c079483c874ea60c593c96a309387fc0f41714a8b660a79efd
                    • Instruction ID: 422cb681b849b1bc7d2ba6745b658da71b84061cbd7daca84639955f55095242
                    • Opcode Fuzzy Hash: 430fbad4661647c079483c874ea60c593c96a309387fc0f41714a8b660a79efd
                    • Instruction Fuzzy Hash: E7117C71A007059BCF21DFA9CCC19AFFBF6FF84200F248929D25596650D731A805CBA0
                    Function 06A942F8 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 05aa072664374e6bb84dc07ead563c63bcc58494d8c66384cc48a65cf1b48c6e
                    • Instruction ID: 7d7f5d95c63e3a145c423da949ba6e7a3fa38d32b638e16a200bdb2f781dad36
                    • Opcode Fuzzy Hash: 05aa072664374e6bb84dc07ead563c63bcc58494d8c66384cc48a65cf1b48c6e
                    • Instruction Fuzzy Hash: DF018C35B001100BDBA5967DA40876FBBEADBCA714F25883EE14ECB346E965DC028791
                    Function 06A93CA8 Relevance: .1, Instructions: 54COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e49873b513b2c377c51382ebab0373a52572793216b3a73211ebc67dc5b49aa
                    • Instruction ID: 25691794f23e873fd8287c6460b14a79c2f58ef40f1a85b4278fcbecd195b8c8
                    • Opcode Fuzzy Hash: 1e49873b513b2c377c51382ebab0373a52572793216b3a73211ebc67dc5b49aa
                    • Instruction Fuzzy Hash: C601F536B1002847DF85A679CC587AF72FAEBC4610F114136D40AD7340EE20E80A87E1
                    Function 06A93158 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 54226acb90b2d87d10a1972865591261d249647405b6cc86aabc3ec6b2d6ac92
                    • Instruction ID: 4fdc3cd97f7029e69766627d9798f60070a2b36bf34ec9f62f2214be51bea4e0
                    • Opcode Fuzzy Hash: 54226acb90b2d87d10a1972865591261d249647405b6cc86aabc3ec6b2d6ac92
                    • Instruction Fuzzy Hash: D701A175E002298ACF68EB79C8505DEF7F5EB8A310F20856AD51AE7214DA30DA41CBB1
                    Function 06A93978 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 302ef641b1f4b7360474b33dd78931a464dd0c0a42abba93f9aa51df6c158a71
                    • Instruction ID: 23505eb82acef26b702f2d6e3620c180e0e38e0024ae267d1fc16d15f4c6e29f
                    • Opcode Fuzzy Hash: 302ef641b1f4b7360474b33dd78931a464dd0c0a42abba93f9aa51df6c158a71
                    • Instruction Fuzzy Hash: 8F11B3B5D012599FCB00DF9AD885ADEFFF8FB49310F10812AE918A7240C379A954CFA5
                    Function 06A93970 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6c6fb08da72ce2a9c17832436fc6524d3f8bb6bf4bcea55d2795bdafd7dc5be
                    • Instruction ID: beee5bf6ad0bca25f30eafbf27edfd59243f877022cd80ad8edbc39a44c00940
                    • Opcode Fuzzy Hash: e6c6fb08da72ce2a9c17832436fc6524d3f8bb6bf4bcea55d2795bdafd7dc5be
                    • Instruction Fuzzy Hash: 7521CEB5D01259AFCB10DF9AD885ADEFBB4FB49310F10816AE918B7200C378A954CFA5
                    Function 06A94308 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c315510bf941b9af9d1d445fecd414e3104e8800a764670a9a961368bcfe3847
                    • Instruction ID: 169a8c3e7b3467bcf4198a63cbd91edc7d3361802778227d102dd15064d089d0
                    • Opcode Fuzzy Hash: c315510bf941b9af9d1d445fecd414e3104e8800a764670a9a961368bcfe3847
                    • Instruction Fuzzy Hash: EF016D35B100100BDFA4A67DE55472FF6DADBC9714F20843AE10ECB345EA65DC0343A1
                    Function 06A9F259 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 778cf96ce4590adc17b369b353d999a0a1a24f6eef12959aa43b0ac676bdc311
                    • Instruction ID: f33f572ed2e8a12f2ffff598e67fceeb51bc15cb8d1c4c093e1ea3cd813c6055
                    • Opcode Fuzzy Hash: 778cf96ce4590adc17b369b353d999a0a1a24f6eef12959aa43b0ac676bdc311
                    • Instruction Fuzzy Hash: 1001D435B000504FCF55E7AC945172E77E6DB89614F24897AE10ACB341EA24DC0683A1
                    Function 06A9A3C9 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 241788beb2a415a0c8422c103cf5c116e8be4ccfa3a3b69a1eb909c4b49f5c13
                    • Instruction ID: e98198127f6f2fbaca3ee2283f924c509e8a032916e6b0c82629fe6723d39f20
                    • Opcode Fuzzy Hash: 241788beb2a415a0c8422c103cf5c116e8be4ccfa3a3b69a1eb909c4b49f5c13
                    • Instruction Fuzzy Hash: 68018F35B104204FDB60AE7CE95472A6BE6EBC9714F20843AE60BCB391DE25DC0387A1
                    Function 06A9F268 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8a9ae65bc83824924bf52dd4dd5a18e030a800aa5ea6a732fa5beb93e3b69e29
                    • Instruction ID: df543a2912fac29df62231c1a06876f45eb1123545c3d22b9643eeba5f7318b2
                    • Opcode Fuzzy Hash: 8a9ae65bc83824924bf52dd4dd5a18e030a800aa5ea6a732fa5beb93e3b69e29
                    • Instruction Fuzzy Hash: 21018135B100100FDF65A6ADD454B2E77DADBCA725F208439E50ECB340DE25DC0243A5
                    Function 06A9A3D8 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 641242523a05686e651c69d9bc6e4e6fe5a1fafc9545ba4a7c3ce199f22831d8
                    • Instruction ID: bc4c4f5ab5ddcc282bb85adc4499e98f2bbd58bf516993751535829da674cd5a
                    • Opcode Fuzzy Hash: 641242523a05686e651c69d9bc6e4e6fe5a1fafc9545ba4a7c3ce199f22831d8
                    • Instruction Fuzzy Hash: 29016235B104244FCB50AA6DD454B1A77E6DBC9714F208439E60BCB395EE25DC028791
                    Function 06A9C898 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e499e0db22e7914b3dda5b0d24f9f88af1b4f6873e1891846475a28c3b35c160
                    • Instruction ID: 761b459c331591c8c268e2b49d17df77c91749f46e6f64c2728c7d40722221f8
                    • Opcode Fuzzy Hash: e499e0db22e7914b3dda5b0d24f9f88af1b4f6873e1891846475a28c3b35c160
                    • Instruction Fuzzy Hash: 3CF0A736E2023897DF14B666DC006AAB37BF785760F104525E901E7744DB316C0187D0
                    Function 06A96540 Relevance: .0, Instructions: 25COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f91d53a531e1c47f0840092ac75b6e6935a83b02dc73fdb7780fc3585e6b4dd8
                    • Instruction ID: a2769029ccdc8f8961a65779bf78149daacf45309ce419e3960557ded12875fb
                    • Opcode Fuzzy Hash: f91d53a531e1c47f0840092ac75b6e6935a83b02dc73fdb7780fc3585e6b4dd8
                    • Instruction Fuzzy Hash: F2E04FB5E141089BEF90DAB0DB4A39A77F4DF42209F3099A9D409DB242E537CA429750
                    Function 06A96550 Relevance: .0, Instructions: 22COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 616f49ecab21f6605a30a3e930597ddc1706b10694b91ff6f9ff3ed03d43608b
                    • Instruction ID: f72e3b1c32c42f8c49ee93c35d42cf2d704916d3fb91425d35b81ac77c7dd763
                    • Opcode Fuzzy Hash: 616f49ecab21f6605a30a3e930597ddc1706b10694b91ff6f9ff3ed03d43608b
                    • Instruction Fuzzy Hash: ACE0EC71E10108ABEF50EAA48A4975A76FDDB01218F3098A5D409DB246E577DA018760

                    Non-executed Functions

                    Function 06A97760 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-2843079600
                    • Opcode ID: 4abb8d37e2bc8473294a3352e1ab8a2297ed73792118e976e0997981b385bc48
                    • Instruction ID: 56c2081eca1870cfaf3b9a921ae22c0b8d32e15eef709aedf357defc32a17c71
                    • Opcode Fuzzy Hash: 4abb8d37e2bc8473294a3352e1ab8a2297ed73792118e976e0997981b385bc48
                    • Instruction Fuzzy Hash: 2B123B30A106198FDF68EF69C994A9DB7F2BF84304F208969D409AB355DB34DD85CFA0
                    Function 06A9AA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-1273862796
                    • Opcode ID: ce236a367b30a6526681250504c33112aeffba944585d4a8071c83c8107fbe14
                    • Instruction ID: 201f63878e8ebc38bac2a864ef002a0adbd33621738c6380dbb31a1933d647c6
                    • Opcode Fuzzy Hash: ce236a367b30a6526681250504c33112aeffba944585d4a8071c83c8107fbe14
                    • Instruction Fuzzy Hash: C3914F30A00209DFDF58EF69D995B6E77F6BF84304F20852AE9019B355DB34AD45CBA0
                    Function 06A97160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-981061697
                    • Opcode ID: 78dc7da6e3bfbf6627c8b67e3037f1c28c2265f3932a102e9621b58f41aca094
                    • Instruction ID: 1520302c4cf830bfdacce117e49b7f4dedc6bc67f3ceef85e001da8261b7e80b
                    • Opcode Fuzzy Hash: 78dc7da6e3bfbf6627c8b67e3037f1c28c2265f3932a102e9621b58f41aca094
                    • Instruction Fuzzy Hash: ECF12B30A106098FDB58EF69D994A5EB7F6FF84300F248569E4059B369DF34EC42CBA4
                    Function 06A98498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q
                    • API String ID: 0-858218434
                    • Opcode ID: 795ac70b92118f1417431b8f97be440fac84662c10f5055c4b6d319e588c642c
                    • Instruction ID: a32df7f7bd5e1712d37899ceaea064c704fdb29b9399a53a11e8a2e5b761c06c
                    • Opcode Fuzzy Hash: 795ac70b92118f1417431b8f97be440fac84662c10f5055c4b6d319e588c642c
                    • Instruction Fuzzy Hash: 32B13A30E102098FDF58EF69C99469EB7F6FF85300F248929D4069B355DB39D886CBA1
                    Function 06A9AD88 Relevance: 5.2, Strings: 4, Instructions: 171COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q
                    • API String ID: 0-858218434
                    • Opcode ID: 1e7010610267817c4a8a63692683b4eab7c350129f4c7831b3dd7eed99f49b6b
                    • Instruction ID: 3671ed18742cad49ed1405c33c3c69c1b38f93303faa76d6f8b8a1b0d48c8428
                    • Opcode Fuzzy Hash: 1e7010610267817c4a8a63692683b4eab7c350129f4c7831b3dd7eed99f49b6b
                    • Instruction Fuzzy Hash: 9451A130A102149FCFA4FB68D880AADB7F2EF85314F24452AE906DB355DB34DC41CBA0
                    Function 06A988B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.4520569335.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_6a90000_DHL Shipping documents 0020398484995500.jbxd
                    Similarity
                    • API ID:
                    • String ID: LR]q$LR]q$$]q$$]q
                    • API String ID: 0-3527005858
                    • Opcode ID: 8a99abdca015308e3e5180ec991a9940f1086c346e0e3ff5f7fe27c62fc682a7
                    • Instruction ID: 6ffb164aa893c6d122244b3638f001da2843f02fbe8b3bf77191e895f6600611
                    • Opcode Fuzzy Hash: 8a99abdca015308e3e5180ec991a9940f1086c346e0e3ff5f7fe27c62fc682a7
                    • Instruction Fuzzy Hash: F351A030B002059FDF58EF69D940A6A77F6FF8A304B248969E4069B395DB38EC45C7A1