Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ship's particulars-TBN.pdf.scr.exe

Overview

General Information

Sample name:ship's particulars-TBN.pdf.scr.exe
Analysis ID:1566627
MD5:5ad9fe85b2c0e0d32a589ce54e7b902e
SHA1:73eb76b140f25ceecb6eb7dc1ba5c97114e46618
SHA256:e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ship's particulars-TBN.pdf.scr.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe" MD5: 5AD9FE85B2C0E0D32A589CE54E7B902E)
    • powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.1467342543.0000000004FC0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000006.00000002.3895415343.00000000030DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.3895415343.00000000030B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.ship's particulars-TBN.pdf.scr.exe.4fc0000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              1.2.ship's particulars-TBN.pdf.scr.exe.4fc0000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x330d3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x33145:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x331cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x33261:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x332cb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3333d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x333d3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x33463:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe, ParentProcessId: 7508, ParentProcessName: ship's particulars-TBN.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", ProcessId: 7716, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe, ParentProcessId: 7508, ParentProcessName: ship's particulars-TBN.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", ProcessId: 7716, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", ParentImage: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe, ParentProcessId: 7508, ParentProcessName: ship's particulars-TBN.pdf.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe", ProcessId: 7716, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}
                    Multi AV Scanner detection for submitted file
                    Source: ship's particulars-TBN.pdf.scr.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: ship's particulars-TBN.pdf.scr.exeJoe Sandbox ML: detected
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49706 version: TLS 1.2
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: TiFL.pdbSHA256&J source: ship's particulars-TBN.pdf.scr.exe
                    Source: Binary string: TiFL.pdb source: ship's particulars-TBN.pdf.scr.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 50.87.144.157 50.87.144.157
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: beirutrest.com
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.00000000030DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://beirutrest.com
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1462135543.0000000002451000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: ship's particulars-TBN.pdf.scr.exeString found in binary or memory: https://cdn.pixabay.com/photo/2017/02/12/21/29/false-2061132_640.png
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49706 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: ship's particulars-TBN.pdf.scr.exe
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_009B42101_2_009B4210
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_009B6F921_2_009B6F92
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_009BD5241_2_009BD524
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C694E91_2_06C694E9
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C600401_2_06C60040
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C640001_2_06C64000
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6C4A01_2_06C6C4A0
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6E5501_2_06C6E550
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6E53F1_2_06C6E53F
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6D1481_2_06C6D148
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6CD081_2_06C6CD08
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6CD101_2_06C6CD10
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C6C8D81_2_06C6C8D8
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C638831_2_06C63883
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C638881_2_06C63888
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_0B6E25B81_2_0B6E25B8
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_0B6E3E181_2_0B6E3E18
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_015BA9E06_2_015BA9E0
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_015B4A586_2_015B4A58
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_015B3E406_2_015B3E40
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_015B41886_2_015B4188
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D589706_2_06D58970
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D5B8506_2_06D5B850
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D5B84F6_2_06D5B84F
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D6B2486_2_06D6B248
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D62AE86_2_06D62AE8
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D676A06_2_06D676A0
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1468020882.0000000008750000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1462135543.000000000249B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1467342543.0000000004FC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1460380999.000000000058E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1467541980.0000000006A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1467541980.0000000006A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000000.1426910035.000000000016A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTiFL.exeJ vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893550975.0000000001139000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exeBinary or memory string: OriginalFilenameTiFL.exeJ vs ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@2/2
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ship's particulars-TBN.pdf.scr.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arfndbq2.hui.ps1Jump to behavior
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ship's particulars-TBN.pdf.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: ship's particulars-TBN.pdf.scr.exeReversingLabs: Detection: 71%
                    Source: unknownProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: TiFL.pdbSHA256&J source: ship's particulars-TBN.pdf.scr.exe
                    Source: Binary string: TiFL.pdb source: ship's particulars-TBN.pdf.scr.exe
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: 0xE9B06FC8 [Sun Mar 28 22:38:00 2094 UTC]
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 1_2_06C63FF1 pushfd ; retn 0006h1_2_06C63FF2
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_015BAA98 push eax; iretd 6_2_015BAA99
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_015B0C77 push edi; retf 6_2_015B0C7A
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D5FD7D push es; ret 6_2_06D5FD80
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D687E3 push esi; retf 6_2_06D687EA
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D687E1 push edi; retf 6_2_06D687E2
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D6F239 push ds; iretd 6_2_06D6F23E
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D683C9 push esp; retf 6_2_06D683CA
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D64089 push cs; retf 6_2_06D64092
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D64001 push ebx; retf 0005h6_2_06D64002
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D69149 pushad ; retf 6_2_06D69152
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeCode function: 6_2_06D6E897 push ss; iretd 6_2_06D6E89A
                    Source: ship's particulars-TBN.pdf.scr.exeStatic PE information: section name: .text entropy: 7.0158745783234275

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: pdf.scrStatic PE information: ship's particulars-TBN.pdf.scr.exe
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7508, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 2450000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 4450000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 88D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 98D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 9AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: AAE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599542Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599327Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599090Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598976Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598859Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598640Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598421Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598093Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597437Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597218Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596999Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596452Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596343Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596234Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596124Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595797Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595687Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595468Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595299Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595150Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594724Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594234Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594124Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 593796Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 593687Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1973Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWindow / User API: threadDelayed 2369Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWindow / User API: threadDelayed 7476Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep count: 1973 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7936Thread sleep count: 2369 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7936Thread sleep count: 7476 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599542s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599327s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -599090s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598976s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -598093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -597109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596999s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596452s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -596015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595299s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -595150s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -594724s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -594344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -594234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -594124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -594015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -593906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -593796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe TID: 7932Thread sleep time: -593687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599542Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599327Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 599090Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598976Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598859Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598640Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598421Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 598093Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597765Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597656Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597437Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597218Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596999Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596452Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596343Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596234Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596124Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595797Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595687Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595468Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595299Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 595150Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594724Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594234Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594124Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 593796Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeThread delayed: delay time: 593687Jump to behavior
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1460380999.00000000005FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1460380999.00000000005FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893615907.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeMemory written: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeProcess created: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3895415343.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3895415343.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7752, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.4fc0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.4fc0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1467342543.0000000004FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3895415343.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7752, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.ship's particulars-TBN.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3895415343.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3895415343.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ship's particulars-TBN.pdf.scr.exe PID: 7752, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.4fc0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.4fc0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1467342543.0000000004FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 1.2.ship's particulars-TBN.pdf.scr.exe.34a0060.3.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		12
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Software Packing                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    ship's particulars-TBN.pdf.scr.exe71%ReversingLabsWin32.Trojan.Leonem
                    ship's particulars-TBN.pdf.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    beirutrest.com
                    		50.87.144.157
                    		truefalse
                      		high
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/ship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameship's particulars-TBN.pdf.scr.exe, 00000001.00000002.1462135543.0000000002451000.00000004.00000800.00020000.00000000.sdmp, ship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://beirutrest.comship's particulars-TBN.pdf.scr.exe, 00000006.00000002.3895415343.00000000030DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://cdn.pixabay.com/photo/2017/02/12/21/29/false-2061132_640.pngship's particulars-TBN.pdf.scr.exefalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      50.87.144.157
                                      		beirutrest.comUnited States
                                      		46606UNIFIEDLAYER-AS-1USfalse
                                      172.67.74.152
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1566627
                                      Start date and time:2024-12-02 14:37:03 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 37s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:11
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:ship's particulars-TBN.pdf.scr.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@8/4@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 101
                                      • Number of non-executed functions: 11
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: ship's particulars-TBN.pdf.scr.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      08:38:01API Interceptor9464562x Sleep call for process: ship's particulars-TBN.pdf.scr.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      50.87.144.157Packing List - SAPPHIRE X.xlsx.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                        WOOYANG VENUS PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            MV BBG MUARA Ship's Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              CHARIKLIA JUNIOR DETAILS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                PEACE SHIP PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  ZHENGHE 3_Q88 20241118.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    01. MT JS JIANGYIN Ship Particulars.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      ESTEEM ASTRO PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        Q88.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          172.67.74.1522b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • api.ipify.org/
                                                          Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                          • api.ipify.org/
                                                          y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • api.ipify.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          beirutrest.comPacking List - SAPPHIRE X.xlsx.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                          • 50.87.144.157
                                                          WOOYANG VENUS PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                          • 50.87.144.157
                                                          CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 50.87.144.157
                                                          MV BBG MUARA Ship's Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 50.87.144.157
                                                          CHARIKLIA JUNIOR DETAILS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 50.87.144.157
                                                          PEACE SHIP PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 50.87.144.157
                                                          ZHENGHE 3_Q88 20241118.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 50.87.144.157
                                                          01. MT JS JIANGYIN Ship Particulars.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 50.87.144.157
                                                          ESTEEM ASTRO PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 50.87.144.157
                                                          Q88.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 50.87.144.157
                                                          api.ipify.orgHBL BLJ2T2411809005 & DAJKT2411000812.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuYGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.13.205
                                                          1d5sraR1S1.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          P4toChrGer.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          zed.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.12.205
                                                          back.ps1Get hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          zed.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          kyjjrfgjjsedf.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 104.26.13.205
                                                          kohjaekdfth.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 104.26.13.205
                                                          kthkksefd.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 104.26.13.205

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          UNIFIEDLAYER-AS-1USlKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                          • 108.179.253.197
                                                          Finalize_Agreement_DocuSign.pdfGet hashmaliciousCaptcha PhishBrowse
                                                          • 192.254.225.121
                                                          1d5sraR1S1.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 50.87.219.149
                                                          P4toChrGer.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 50.87.219.149
                                                          sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                          • 162.144.19.14
                                                          botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 142.6.141.61
                                                          arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 142.7.26.16
                                                          https://mobile.mail.yahoo.com/apps/affiliateRouter?brandUrl=https://www.google.com/amp/t.co/N0QLoca1EY&appName=YMailNorrin&partner=1&locale=1&pageId=commerce_intent&clickRef=message_header&region=us&annotation=&buckets=&segment=&interactedItem=&slot=&uuid=mailNAGet hashmaliciousUnknownBrowse
                                                          • 50.6.173.246
                                                          https://herald-review.com/users/logout-success/?expire=1626371676&referer_url=http://209.159.152.50Get hashmaliciousHTMLPhisherBrowse
                                                          • 69.49.230.198
                                                          https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.comGet hashmaliciousUnknownBrowse
                                                          • 50.6.196.212
                                                          CLOUDFLARENETUSswift.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 172.67.177.134
                                                          Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 104.21.67.152
                                                          tA5DvuNwfQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.67.152
                                                          Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.67.152
                                                          Gastroptosis (5).exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 104.21.67.152
                                                          HBL BLJ2T2411809005 & DAJKT2411000812.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          Fonts.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 104.21.67.152
                                                          New Order C0038 2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 172.67.177.134
                                                          Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.186.192
                                                          021337ISOGENERAL.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 172.67.177.134

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0eCotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 172.67.74.152
                                                          tA5DvuNwfQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 172.67.74.152
                                                          Factura.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 172.67.74.152
                                                          HBL BLJ2T2411809005 & DAJKT2411000812.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          SPP_14667098030794_8611971920#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 172.67.74.152
                                                          New Order C0038 2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 172.67.74.152
                                                          faktura461250706050720242711#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          021337ISOGENERAL.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 172.67.74.152
                                                          11315781264#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          30180908_signed#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ship's particulars-TBN.pdf.scr.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):0.6599547231656377
                                                          Encrypted:false
                                                          SSDEEP:3:NlllulRlltl:NllU
                                                          MD5:2AAC5546A51052C82C51A111418615EB
                                                          SHA1:14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
                                                          SHA-256:DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
                                                          SHA-512:1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wdfubv3.lum.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arfndbq2.hui.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.007434814298171
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:ship's particulars-TBN.pdf.scr.exe
                                                          File size:880'128 bytes
                                                          MD5:5ad9fe85b2c0e0d32a589ce54e7b902e
                                                          SHA1:73eb76b140f25ceecb6eb7dc1ba5c97114e46618
                                                          SHA256:e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
                                                          SHA512:7899f2cec191bebd1214ba7d6ff6472e59daeb202e3a0d5d46747ddbbe731abe34aaa8f220be3ab7485515ea0038ebc18d64d6c6be4961e8d25b3cc272329979
                                                          SSDEEP:12288:ZS+OlRrvLX8RD8BnN+F179Oks2u4ayy+k5h/2IYw62:oARDI6+Z27t2hOPw5
                                                          TLSH:9715C43E19B8622BB1B9C7A5FBE48127B07096EFF151AD64D4EB435A4302A0374C327D
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o................0..b..........F.... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4d8146
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xE9B06FC8 [Sun Mar 28 22:38:00 2094 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          push ebx
                                                          add byte ptr [ecx+00h], bh
                                                          jnc 00007F01951FE7D2h
                                                          je 00007F01951FE7D2h
                                                          add byte ptr [ebp+00h], ch
                                                          add byte ptr [ecx+00h], al
                                                          arpl word ptr [eax], ax
                                                          je 00007F01951FE7D2h
                                                          imul eax, dword ptr [eax], 00610076h
                                                          je 00007F01951FE7D2h
                                                          outsd
                                                          add byte ptr [edx+00h], dh
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd80f30x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xda0000x644.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xd6d8c0x70.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xd616c0xd6200bcbed4f4404f305252ea1d2f0f236a2aFalse0.7144025010945709data7.0158745783234275IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xda0000x6440x800f14743ede6c7f890e0c97b26f3cfa954False0.34228515625data3.4931321820752284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xdc0000xc0x2003914ffac2ab5ed7e68a78ccedfc72a8aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0xda0900x3b4data0.41244725738396626
                                                          RT_MANIFEST0xda4540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 2, 2024 14:38:04.606153011 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:04.606215000 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:04.606278896 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:04.635550976 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:04.635564089 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:05.903661966 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:05.903820992 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:05.907682896 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:05.907705069 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:05.908107042 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:05.958760977 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:06.003325939 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:06.357253075 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:06.357322931 CET44349706172.67.74.152192.168.2.8
                                                          Dec 2, 2024 14:38:06.357465982 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:06.363157988 CET49706443192.168.2.8172.67.74.152
                                                          Dec 2, 2024 14:38:07.543973923 CET4970821192.168.2.850.87.144.157
                                                          Dec 2, 2024 14:38:07.664134026 CET214970850.87.144.157192.168.2.8
                                                          Dec 2, 2024 14:38:07.664299011 CET4970821192.168.2.850.87.144.157
                                                          Dec 2, 2024 14:38:07.683224916 CET4970821192.168.2.850.87.144.157
                                                          Dec 2, 2024 14:38:07.804776907 CET214970850.87.144.157192.168.2.8
                                                          Dec 2, 2024 14:38:07.804832935 CET4970821192.168.2.850.87.144.157

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 2, 2024 14:38:04.443201065 CET6446853192.168.2.81.1.1.1
                                                          Dec 2, 2024 14:38:04.585820913 CET53644681.1.1.1192.168.2.8
                                                          Dec 2, 2024 14:38:06.870264053 CET5128553192.168.2.81.1.1.1
                                                          Dec 2, 2024 14:38:07.543209076 CET53512851.1.1.1192.168.2.8

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 2, 2024 14:38:04.443201065 CET192.168.2.81.1.1.10xe696Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                          Dec 2, 2024 14:38:06.870264053 CET192.168.2.81.1.1.10xcecbStandard query (0)beirutrest.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 2, 2024 14:38:04.585820913 CET1.1.1.1192.168.2.80xe696No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                          Dec 2, 2024 14:38:04.585820913 CET1.1.1.1192.168.2.80xe696No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                          Dec 2, 2024 14:38:04.585820913 CET1.1.1.1192.168.2.80xe696No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                          Dec 2, 2024 14:38:07.543209076 CET1.1.1.1192.168.2.80xcecbNo error (0)beirutrest.com50.87.144.157A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.849706172.67.74.1524437752C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-02 13:38:05 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-12-02 13:38:06 UTC424INHTTP/1.1 200 OK
                                                          Date: Mon, 02 Dec 2024 13:38:06 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 12
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 8ebbb72498cd8c15-EWR
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1782&min_rtt=1775&rtt_var=681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1590413&cwnd=238&unsent_bytes=0&cid=998434008c513b9f&ts=469&x=0"
                                                          2024-12-02 13:38:06 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                          Data Ascii: 8.46.123.228


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:1
                                                          Start time:08:37:59
                                                          Start date:02/12/2024
                                                          Path:C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                                                          Imagebase:0x90000
                                                          File size:880'128 bytes
                                                          MD5 hash:5AD9FE85B2C0E0D32A589CE54E7B902E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1467342543.0000000004FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1464053375.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:08:38:03
                                                          Start date:02/12/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                                                          Imagebase:0x620000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:08:38:03
                                                          Start date:02/12/2024
                                                          Path:C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                                                          Imagebase:0x90000
                                                          File size:880'128 bytes
                                                          MD5 hash:5AD9FE85B2C0E0D32A589CE54E7B902E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:08:38:03
                                                          Start date:02/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:08:38:03
                                                          Start date:02/12/2024
                                                          Path:C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\ship's particulars-TBN.pdf.scr.exe"
                                                          Imagebase:0xca0000
                                                          File size:880'128 bytes
                                                          MD5 hash:5AD9FE85B2C0E0D32A589CE54E7B902E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3893399847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3895415343.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3895415343.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3895415343.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:11.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:182
                                                            Total number of Limit Nodes:9
                                                            execution_graph 30612 9b4668 30613 9b467a 30612->30613 30614 9b4686 30613->30614 30616 9b4779 30613->30616 30617 9b479d 30616->30617 30621 9b4879 30617->30621 30625 9b4888 30617->30625 30623 9b48af 30621->30623 30622 9b498c 30622->30622 30623->30622 30629 9b44d4 30623->30629 30627 9b48af 30625->30627 30626 9b498c 30627->30626 30628 9b44d4 CreateActCtxA 30627->30628 30628->30626 30630 9b5918 CreateActCtxA 30629->30630 30632 9b59db 30630->30632 30633 9bd568 30634 9bd5ae 30633->30634 30638 9bd748 30634->30638 30641 9bd737 30634->30641 30635 9bd69b 30639 9bd776 30638->30639 30644 9bbc40 30638->30644 30639->30635 30642 9bbc40 DuplicateHandle 30641->30642 30643 9bd776 30642->30643 30643->30635 30645 9bd7b0 DuplicateHandle 30644->30645 30646 9bd846 30645->30646 30646->30639 30415 b6e1678 30416 b6e1803 30415->30416 30417 b6e169e 30415->30417 30417->30416 30420 b6e18f8 PostMessageW 30417->30420 30422 b6e18f1 30417->30422 30421 b6e1964 30420->30421 30421->30417 30423 b6e18f8 PostMessageW 30422->30423 30424 b6e1964 30423->30424 30424->30417 30425 6c6fe1f 30426 6c6fe31 30425->30426 30430 b6e03a0 30426->30430 30447 b6e03b0 30426->30447 30427 6c6fe41 30431 b6e03ca 30430->30431 30438 b6e03ee 30431->30438 30464 b6e0b2f 30431->30464 30474 b6e09d3 30431->30474 30479 b6e0893 30431->30479 30484 b6e0872 30431->30484 30489 b6e0bb5 30431->30489 30494 b6e0914 30431->30494 30499 b6e0f99 30431->30499 30504 b6e0a78 30431->30504 30515 b6e081f 30431->30515 30522 b6e08a3 30431->30522 30527 b6e0c03 30431->30527 30537 b6e0aa4 30431->30537 30542 b6e0a07 30431->30542 30547 b6e0b68 30431->30547 30438->30427 30448 b6e03ca 30447->30448 30449 b6e0b2f 6 API calls 30448->30449 30450 b6e0b68 2 API calls 30448->30450 30451 b6e0a07 2 API calls 30448->30451 30452 b6e0aa4 2 API calls 30448->30452 30453 b6e0c03 6 API calls 30448->30453 30454 b6e08a3 2 API calls 30448->30454 30455 b6e03ee 30448->30455 30456 b6e081f 4 API calls 30448->30456 30457 b6e0a78 6 API calls 30448->30457 30458 b6e0f99 2 API calls 30448->30458 30459 b6e0914 2 API calls 30448->30459 30460 b6e0bb5 2 API calls 30448->30460 30461 b6e0872 2 API calls 30448->30461 30462 b6e0893 2 API calls 30448->30462 30463 b6e09d3 3 API calls 30448->30463 30449->30455 30450->30455 30451->30455 30452->30455 30453->30455 30454->30455 30455->30427 30456->30455 30457->30455 30458->30455 30459->30455 30460->30455 30461->30455 30462->30455 30463->30455 30465 b6e0b4b 30464->30465 30467 b6e0926 30464->30467 30552 6c6f220 30465->30552 30556 6c6f228 30465->30556 30560 6c6f2f8 30465->30560 30466 b6e0c4b 30566 6c6f170 30467->30566 30570 6c6f178 30467->30570 30468 b6e10f0 30475 b6e0d77 30474->30475 30574 b6e1420 30475->30574 30579 b6e1411 30475->30579 30476 b6e0d93 30480 b6e089d 30479->30480 30588 6c6f4b0 30480->30588 30592 6c6f4a8 30480->30592 30481 b6e0dca 30485 b6e087b 30484->30485 30486 b6e11dc 30485->30486 30596 6c6f3c0 30485->30596 30600 6c6f3b9 30485->30600 30486->30438 30492 6c6f3c0 WriteProcessMemory 30489->30492 30493 6c6f3b9 WriteProcessMemory 30489->30493 30490 b6e0cdf 30491 b6e09ac 30491->30489 30491->30490 30492->30491 30493->30491 30495 b6e091a 30494->30495 30497 6c6f170 ResumeThread 30495->30497 30498 6c6f178 ResumeThread 30495->30498 30496 b6e10f0 30497->30496 30498->30496 30500 b6e0fbf 30499->30500 30502 6c6f170 ResumeThread 30500->30502 30503 6c6f178 ResumeThread 30500->30503 30501 b6e10f0 30502->30501 30503->30501 30505 b6e0a7d 30504->30505 30506 b6e0b4b 30505->30506 30508 b6e0926 30505->30508 30512 6c6f220 Wow64SetThreadContext 30506->30512 30513 6c6f2f8 2 API calls 30506->30513 30514 6c6f228 Wow64SetThreadContext 30506->30514 30507 b6e0c4b 30510 6c6f170 ResumeThread 30508->30510 30511 6c6f178 ResumeThread 30508->30511 30509 b6e10f0 30510->30509 30511->30509 30512->30507 30513->30507 30514->30507 30604 6c6f63c 30515->30604 30608 6c6f648 30515->30608 30523 b6e08b0 30522->30523 30525 6c6f3c0 WriteProcessMemory 30523->30525 30526 6c6f3b9 WriteProcessMemory 30523->30526 30524 b6e0d1d 30524->30438 30525->30524 30526->30524 30528 b6e0f2c 30527->30528 30534 6c6f220 Wow64SetThreadContext 30528->30534 30535 6c6f2f8 2 API calls 30528->30535 30536 6c6f228 Wow64SetThreadContext 30528->30536 30529 b6e0f89 30530 b6e087b 30530->30529 30531 b6e11dc 30530->30531 30532 6c6f3c0 WriteProcessMemory 30530->30532 30533 6c6f3b9 WriteProcessMemory 30530->30533 30531->30438 30532->30530 30533->30530 30534->30530 30535->30530 30536->30530 30538 b6e0aa5 30537->30538 30540 6c6f170 ResumeThread 30538->30540 30541 6c6f178 ResumeThread 30538->30541 30539 b6e10f0 30540->30539 30541->30539 30543 b6e0a0d 30542->30543 30545 6c6f170 ResumeThread 30543->30545 30546 6c6f178 ResumeThread 30543->30546 30544 b6e10f0 30545->30544 30546->30544 30550 6c6f3c0 WriteProcessMemory 30547->30550 30551 6c6f3b9 WriteProcessMemory 30547->30551 30548 b6e11dc 30548->30438 30549 b6e087b 30549->30547 30549->30548 30550->30549 30551->30549 30553 6c6f228 Wow64SetThreadContext 30552->30553 30555 6c6f2b5 30553->30555 30555->30466 30557 6c6f26d Wow64SetThreadContext 30556->30557 30559 6c6f2b5 30557->30559 30559->30466 30561 6c6f29b Wow64SetThreadContext 30560->30561 30562 6c6f2fe VirtualAllocEx 30560->30562 30563 6c6f2b5 30561->30563 30565 6c6f37d 30562->30565 30563->30466 30565->30466 30567 6c6f1b8 ResumeThread 30566->30567 30569 6c6f1e9 30567->30569 30569->30468 30571 6c6f1b8 ResumeThread 30570->30571 30573 6c6f1e9 30571->30573 30573->30468 30575 b6e1435 30574->30575 30578 6c6f2f8 2 API calls 30575->30578 30584 6c6f300 30575->30584 30576 b6e1454 30576->30476 30578->30576 30580 b6e1420 30579->30580 30582 6c6f300 VirtualAllocEx 30580->30582 30583 6c6f2f8 2 API calls 30580->30583 30581 b6e1454 30581->30476 30582->30581 30583->30581 30585 6c6f340 VirtualAllocEx 30584->30585 30587 6c6f37d 30585->30587 30587->30576 30589 6c6f4fb ReadProcessMemory 30588->30589 30591 6c6f53f 30589->30591 30591->30481 30593 6c6f4b0 ReadProcessMemory 30592->30593 30595 6c6f53f 30593->30595 30595->30481 30597 6c6f408 WriteProcessMemory 30596->30597 30599 6c6f45f 30597->30599 30599->30485 30601 6c6f408 WriteProcessMemory 30600->30601 30603 6c6f45f 30601->30603 30603->30485 30605 6c6f6d1 CreateProcessA 30604->30605 30607 6c6f893 30605->30607 30609 6c6f6d1 CreateProcessA 30608->30609 30611 6c6f893 30609->30611 30611->30611 30407 9badd0 30410 9baeb7 30407->30410 30408 9baddf 30411 9baefc 30410->30411 30412 9baed9 30410->30412 30411->30408 30412->30411 30413 9bb100 GetModuleHandleW 30412->30413 30414 9bb12d 30413->30414 30414->30408

                                                            Executed Functions

                                                            Function 06C60040 Relevance: 2.3, Strings: 1, Instructions: 1022COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 16 6c60040-6c60061 17 6c60063 16->17 18 6c60068-6c60154 16->18 17->18 20 6c6097c-6c609a4 18->20 21 6c6015a-6c602ab 18->21 24 6c61081-6c6108a 20->24 66 6c602b1-6c6030c 21->66 67 6c6094a-6c60979 21->67 25 6c609b2-6c609bb 24->25 26 6c61090-6c610a7 24->26 28 6c609c2-6c60ab6 25->28 29 6c609bd 25->29 48 6c60ae0 28->48 49 6c60ab8-6c60ac4 28->49 29->28 51 6c60ae6-6c60b06 48->51 52 6c60ac6-6c60acc 49->52 53 6c60ace-6c60ad4 49->53 58 6c60b66-6c60bdc 51->58 59 6c60b08-6c60b61 51->59 54 6c60ade 52->54 53->54 54->51 77 6c60c31-6c60c74 58->77 78 6c60bde-6c60c2f 58->78 71 6c6107e 59->71 74 6c60311-6c6031c 66->74 75 6c6030e 66->75 67->20 71->24 79 6c60860-6c60866 74->79 75->74 103 6c60c7f-6c60c85 77->103 78->103 81 6c60321-6c6033f 79->81 82 6c6086c-6c608e9 79->82 84 6c60396-6c603ab 81->84 85 6c60341-6c60345 81->85 121 6c60936-6c6093c 82->121 87 6c603b2-6c603c8 84->87 88 6c603ad 84->88 85->84 90 6c60347-6c60352 85->90 92 6c603cf-6c603e6 87->92 93 6c603ca 87->93 88->87 94 6c60388-6c6038e 90->94 98 6c603ed-6c60403 92->98 99 6c603e8 92->99 93->92 96 6c60354-6c60358 94->96 97 6c60390-6c60391 94->97 106 6c6035e-6c60376 96->106 107 6c6035a 96->107 104 6c60414-6c60485 97->104 101 6c60405 98->101 102 6c6040a-6c60411 98->102 99->98 101->102 102->104 108 6c60cdc-6c60ce8 103->108 111 6c60487 104->111 112 6c6049b-6c60613 104->112 109 6c6037d-6c60385 106->109 110 6c60378 106->110 107->106 115 6c60c87-6c60ca9 108->115 116 6c60cea-6c60d72 108->116 109->94 110->109 111->112 114 6c60489-6c60495 111->114 122 6c60615 112->122 123 6c60629-6c60764 112->123 114->112 118 6c60cb0-6c60cd9 115->118 119 6c60cab 115->119 143 6c60ef3-6c60efc 116->143 118->108 119->118 126 6c6093e 121->126 127 6c608eb-6c60933 121->127 122->123 128 6c60617-6c60623 122->128 135 6c60766-6c6076a 123->135 136 6c607c8-6c607dd 123->136 126->67 127->121 128->123 135->136 138 6c6076c-6c6077b 135->138 140 6c607e4-6c60805 136->140 141 6c607df 136->141 142 6c607ba-6c607c0 138->142 145 6c60807 140->145 146 6c6080c-6c6082b 140->146 141->140 151 6c607c2-6c607c3 142->151 152 6c6077d-6c60781 142->152 147 6c60d77-6c60d8c 143->147 148 6c60f02-6c60f5d 143->148 145->146 149 6c60832-6c60852 146->149 150 6c6082d 146->150 155 6c60d95-6c60ee1 147->155 156 6c60d8e 147->156 174 6c60f94-6c60fbe 148->174 175 6c60f5f-6c60f92 148->175 157 6c60854 149->157 158 6c60859 149->158 150->149 159 6c6085d 151->159 153 6c60783-6c60787 152->153 154 6c6078b-6c607ac 152->154 153->154 161 6c607b3-6c607b7 154->161 162 6c607ae 154->162 179 6c60eed 155->179 156->155 163 6c60e23-6c60e63 156->163 164 6c60dde-6c60e1e 156->164 165 6c60d9b-6c60dd9 156->165 166 6c60e68-6c60ea8 156->166 157->158 158->159 159->79 161->142 162->161 163->179 164->179 165->179 166->179 183 6c60fc7-6c61058 174->183 175->183 179->143 187 6c6105f-6c61077 183->187 187->71
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: <ov!
                                                            • API String ID: 0-3980319286
                                                            • Opcode ID: fc0bdff20af0afdf48da97b88da2d5c49d9c9af0e324e35335daf0ff0c445b47
                                                            • Instruction ID: 293e81742bfe6bf0ed0d53e2adefca6206b2b67584fc3985363949c56a659637
                                                            • Opcode Fuzzy Hash: fc0bdff20af0afdf48da97b88da2d5c49d9c9af0e324e35335daf0ff0c445b47
                                                            • Instruction Fuzzy Hash: 3FB2A574E00628CFDB64CF69C984BD9BBB2BF89304F1581E5E509AB225DB319E81CF40
                                                            Function 0B6E25B8 Relevance: .6, Instructions: 625COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1469250766.000000000B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B6E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_b6e0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6ab4d6501495047aa5af644f7b6b0f199a0af902c8798bbaa830caad47918ea
                                                            • Instruction ID: 6e4280abdfbb38c38edd5c4f515f78b30b5e8469e85fee05432de0ead1684f3a
                                                            • Opcode Fuzzy Hash: e6ab4d6501495047aa5af644f7b6b0f199a0af902c8798bbaa830caad47918ea
                                                            • Instruction Fuzzy Hash: 8E32BDB0B022049FDB19DB69C560BAEB7FBEF88700F144469E5569B3A1DB34ED01CB61
                                                            Function 06C64000 Relevance: .2, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1db39957f99095301264824930e3ad9cf0c05c4d9391905dd1bb42df9e68a3af
                                                            • Instruction ID: e4920b95df6460e5f36f2e418e0e8d75b9863f3344d7ed274b8125c781d117f8
                                                            • Opcode Fuzzy Hash: 1db39957f99095301264824930e3ad9cf0c05c4d9391905dd1bb42df9e68a3af
                                                            • Instruction Fuzzy Hash: 6971F670D05218CFEB58DFAAD8846EEBBF6FB99301F20D02AE519A7211D7345946CF84
                                                            Function 009B4210 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3288a478a6625466972ad31a9f51039351661a91f81bb03eb5720c4a944ceebc
                                                            • Instruction ID: e38fda4fb9a12aa9f763179b146deca488a83e107d02ad8bdbee53d7f98d3b04
                                                            • Opcode Fuzzy Hash: 3288a478a6625466972ad31a9f51039351661a91f81bb03eb5720c4a944ceebc
                                                            • Instruction Fuzzy Hash: 4F51A670E013189FDB08DFA9D991AEEBBF2FF88310F548429D409BB264DB359942DB50
                                                            Function 009B6F92 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 730a01b0f399ae96524919f2cbd2bc6c48804195ac8d273692cd2789478afccd
                                                            • Instruction ID: a138ed30c07bb7076732ac83630b41fe7a259aa3c579877cb9175441d2b9427f
                                                            • Opcode Fuzzy Hash: 730a01b0f399ae96524919f2cbd2bc6c48804195ac8d273692cd2789478afccd
                                                            • Instruction Fuzzy Hash: 5C51B670E012089FDB08DFA9D991AEEBBF2FF88310F548029D409AB264DB355942DF50
                                                            Function 06C694E9 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 72d08d96c3bd451f03a80fc915ece6ae09631004e5902185ae52ba2b27fc6318
                                                            • Instruction ID: 8e78525d6fefac57cca5312490df21d2267bb711f646acd07c68be2d2afc77c5
                                                            • Opcode Fuzzy Hash: 72d08d96c3bd451f03a80fc915ece6ae09631004e5902185ae52ba2b27fc6318
                                                            • Instruction Fuzzy Hash: 9E21E4B0D046199BEB58CFA7C8543DEFBF2AFC9300F14C06AD409AA254DB74094ACF94
                                                            Function 06C6F2F8 Relevance: 3.1, APIs: 2, Instructions: 82memorythreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6F2A6
                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06C6F36E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: AllocContextThreadVirtualWow64
                                                            • String ID:
                                                            • API String ID: 2727713192-0
                                                            • Opcode ID: 02303f23d402d2e0f86fab5307134d7dfa2d679497b677fcdb802a45b6faede2
                                                            • Instruction ID: 28ccb192a640e9eae2c170fdf234811e30565b5078576672dc1cfd96620cb9fe
                                                            • Opcode Fuzzy Hash: 02303f23d402d2e0f86fab5307134d7dfa2d679497b677fcdb802a45b6faede2
                                                            • Instruction Fuzzy Hash: 3031897680034A8FDB10DFAAD8447DEFBF6AF88320F14882DE569A7250C7399541CFA4
                                                            Function 06C6F63C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 188 6c6f63c-6c6f6dd 190 6c6f716-6c6f736 188->190 191 6c6f6df-6c6f6e9 188->191 196 6c6f76f-6c6f79e 190->196 197 6c6f738-6c6f742 190->197 191->190 192 6c6f6eb-6c6f6ed 191->192 193 6c6f710-6c6f713 192->193 194 6c6f6ef-6c6f6f9 192->194 193->190 198 6c6f6fd-6c6f70c 194->198 199 6c6f6fb 194->199 207 6c6f7d7-6c6f891 CreateProcessA 196->207 208 6c6f7a0-6c6f7aa 196->208 197->196 200 6c6f744-6c6f746 197->200 198->198 201 6c6f70e 198->201 199->198 202 6c6f748-6c6f752 200->202 203 6c6f769-6c6f76c 200->203 201->193 205 6c6f756-6c6f765 202->205 206 6c6f754 202->206 203->196 205->205 209 6c6f767 205->209 206->205 219 6c6f893-6c6f899 207->219 220 6c6f89a-6c6f920 207->220 208->207 210 6c6f7ac-6c6f7ae 208->210 209->203 212 6c6f7b0-6c6f7ba 210->212 213 6c6f7d1-6c6f7d4 210->213 214 6c6f7be-6c6f7cd 212->214 215 6c6f7bc 212->215 213->207 214->214 217 6c6f7cf 214->217 215->214 217->213 219->220 230 6c6f922-6c6f926 220->230 231 6c6f930-6c6f934 220->231 230->231 232 6c6f928 230->232 233 6c6f936-6c6f93a 231->233 234 6c6f944-6c6f948 231->234 232->231 233->234 235 6c6f93c 233->235 236 6c6f94a-6c6f94e 234->236 237 6c6f958-6c6f95c 234->237 235->234 236->237 238 6c6f950 236->238 239 6c6f96e-6c6f975 237->239 240 6c6f95e-6c6f964 237->240 238->237 241 6c6f977-6c6f986 239->241 242 6c6f98c 239->242 240->239 241->242 244 6c6f98d 242->244 244->244
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C6F87E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: e9c89681bb5f000370ab0624842a9a43e768e8b2db0cfa27af754c71dbb937e1
                                                            • Instruction ID: e703140a220eb7adbbc37318ce1b27db0338fb3d31847587a31037e542268c34
                                                            • Opcode Fuzzy Hash: e9c89681bb5f000370ab0624842a9a43e768e8b2db0cfa27af754c71dbb937e1
                                                            • Instruction Fuzzy Hash: B2A18A71D00219DFEB60CF69D8807EEBBB2BF48314F1485ADE858A7240DB749A85CF95
                                                            Function 06C6F648 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 245 6c6f648-6c6f6dd 247 6c6f716-6c6f736 245->247 248 6c6f6df-6c6f6e9 245->248 253 6c6f76f-6c6f79e 247->253 254 6c6f738-6c6f742 247->254 248->247 249 6c6f6eb-6c6f6ed 248->249 250 6c6f710-6c6f713 249->250 251 6c6f6ef-6c6f6f9 249->251 250->247 255 6c6f6fd-6c6f70c 251->255 256 6c6f6fb 251->256 264 6c6f7d7-6c6f891 CreateProcessA 253->264 265 6c6f7a0-6c6f7aa 253->265 254->253 257 6c6f744-6c6f746 254->257 255->255 258 6c6f70e 255->258 256->255 259 6c6f748-6c6f752 257->259 260 6c6f769-6c6f76c 257->260 258->250 262 6c6f756-6c6f765 259->262 263 6c6f754 259->263 260->253 262->262 266 6c6f767 262->266 263->262 276 6c6f893-6c6f899 264->276 277 6c6f89a-6c6f920 264->277 265->264 267 6c6f7ac-6c6f7ae 265->267 266->260 269 6c6f7b0-6c6f7ba 267->269 270 6c6f7d1-6c6f7d4 267->270 271 6c6f7be-6c6f7cd 269->271 272 6c6f7bc 269->272 270->264 271->271 274 6c6f7cf 271->274 272->271 274->270 276->277 287 6c6f922-6c6f926 277->287 288 6c6f930-6c6f934 277->288 287->288 289 6c6f928 287->289 290 6c6f936-6c6f93a 288->290 291 6c6f944-6c6f948 288->291 289->288 290->291 292 6c6f93c 290->292 293 6c6f94a-6c6f94e 291->293 294 6c6f958-6c6f95c 291->294 292->291 293->294 295 6c6f950 293->295 296 6c6f96e-6c6f975 294->296 297 6c6f95e-6c6f964 294->297 295->294 298 6c6f977-6c6f986 296->298 299 6c6f98c 296->299 297->296 298->299 301 6c6f98d 299->301 301->301
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C6F87E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 651ddb04eaaa3ed9532a6e5e9b7b0254fb014a4bf3fa9fce9c730f55f525d83b
                                                            • Instruction ID: a7dcbbde3a0bfd6c649648e5873f234b8f0c3612a508b25628a146a32bd5dd52
                                                            • Opcode Fuzzy Hash: 651ddb04eaaa3ed9532a6e5e9b7b0254fb014a4bf3fa9fce9c730f55f525d83b
                                                            • Instruction Fuzzy Hash: EC916B71D0031A9FEB50CF69D8817DEBBB2BF48314F1485ADE818A7280DB749A85CF95
                                                            Function 009BAEB7 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 302 9baeb7-9baed7 303 9baed9-9baee6 call 9b9840 302->303 304 9baf03-9baf07 302->304 311 9baee8 303->311 312 9baefc 303->312 305 9baf1b-9baf5c 304->305 306 9baf09-9baf13 304->306 313 9baf69-9baf77 305->313 314 9baf5e-9baf66 305->314 306->305 357 9baeee call 9bb150 311->357 358 9baeee call 9bb160 311->358 312->304 315 9baf9b-9baf9d 313->315 316 9baf79-9baf7e 313->316 314->313 318 9bafa0-9bafa7 315->318 319 9baf89 316->319 320 9baf80-9baf87 call 9ba210 316->320 317 9baef4-9baef6 317->312 321 9bb038-9bb0f8 317->321 322 9bafa9-9bafb1 318->322 323 9bafb4-9bafbb 318->323 325 9baf8b-9baf99 319->325 320->325 352 9bb0fa-9bb0fd 321->352 353 9bb100-9bb12b GetModuleHandleW 321->353 322->323 326 9bafc8-9bafd1 call 9ba220 323->326 327 9bafbd-9bafc5 323->327 325->318 333 9bafde-9bafe3 326->333 334 9bafd3-9bafdb 326->334 327->326 335 9bb001-9bb00e 333->335 336 9bafe5-9bafec 333->336 334->333 342 9bb031-9bb037 335->342 343 9bb010-9bb02e 335->343 336->335 338 9bafee-9baffe call 9ba230 call 9ba240 336->338 338->335 343->342 352->353 354 9bb12d-9bb133 353->354 355 9bb134-9bb148 353->355 354->355 357->317 358->317
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 009BB11E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 3e5e06349146b86ac13fa4983d0799a1c875f4403059828f2c4f76a24e8ab188
                                                            • Instruction ID: b5be42e2ec65d40106d9e9d49ae7f15ab95321a2265291f1c0b427e5cae84160
                                                            • Opcode Fuzzy Hash: 3e5e06349146b86ac13fa4983d0799a1c875f4403059828f2c4f76a24e8ab188
                                                            • Instruction Fuzzy Hash: 23815670A00B058FD724DF29D5557AABBF5FF88310F008A2DE09AD7A40D775E946CB91
                                                            Function 009B590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 359 9b590d-9b59d9 CreateActCtxA 361 9b59db-9b59e1 359->361 362 9b59e2-9b5a3c 359->362 361->362 369 9b5a4b-9b5a4f 362->369 370 9b5a3e-9b5a41 362->370 371 9b5a51-9b5a5d 369->371 372 9b5a60 369->372 370->369 371->372 374 9b5a61 372->374 374->374
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 009B59C9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 845e65b99c914f49d9507f5b33db0bf7bf7848c4e3d97f12263b6f0a506f9e72
                                                            • Instruction ID: bd23fd27b50d7c1878f2ae2fb12d9d04002ada20619c88350220898d62f59bf0
                                                            • Opcode Fuzzy Hash: 845e65b99c914f49d9507f5b33db0bf7bf7848c4e3d97f12263b6f0a506f9e72
                                                            • Instruction Fuzzy Hash: CB41EFB1D00719CFDB24DFA9C9847CEBBB5BF88714F20816AD408AB251DB756946CF90
                                                            Function 009B44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 375 9b44d4-9b59d9 CreateActCtxA 378 9b59db-9b59e1 375->378 379 9b59e2-9b5a3c 375->379 378->379 386 9b5a4b-9b5a4f 379->386 387 9b5a3e-9b5a41 379->387 388 9b5a51-9b5a5d 386->388 389 9b5a60 386->389 387->386 388->389 391 9b5a61 389->391 391->391
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 009B59C9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 4650842458df47daaedb144bfe31b5d6b6a359a9b21344a22b47603e8fca0b71
                                                            • Instruction ID: 1c4896001988a3f28cf20a76e4835af5b9077a931fa5ed8ea18a10379b8d43a8
                                                            • Opcode Fuzzy Hash: 4650842458df47daaedb144bfe31b5d6b6a359a9b21344a22b47603e8fca0b71
                                                            • Instruction Fuzzy Hash: 4F41CFB1D00B19CBDB24DFA9C984B8EBBF5BF88714F20816AD408AB251DB756945CF90
                                                            Function 06C6F3B9 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 392 6c6f3b9-6c6f40e 394 6c6f410-6c6f41c 392->394 395 6c6f41e-6c6f45d WriteProcessMemory 392->395 394->395 397 6c6f466-6c6f496 395->397 398 6c6f45f-6c6f465 395->398 398->397
                                                            APIs
                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C6F450
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 68b12ee7012bcf0e20d5626ffa1ebfb79f88f88e56fbe955a379f571f7177c14
                                                            • Instruction ID: 776454e3d3e90dcd6ad9e8a61a437b34364c91c11f03e0849468221a4e07cde6
                                                            • Opcode Fuzzy Hash: 68b12ee7012bcf0e20d5626ffa1ebfb79f88f88e56fbe955a379f571f7177c14
                                                            • Instruction Fuzzy Hash: 6621467590034A9FDB10CFAAD880BEEBBF5FF48310F10842EE959A7640C7789A54CB64
                                                            Function 06C6F3C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 402 6c6f3c0-6c6f40e 404 6c6f410-6c6f41c 402->404 405 6c6f41e-6c6f45d WriteProcessMemory 402->405 404->405 407 6c6f466-6c6f496 405->407 408 6c6f45f-6c6f465 405->408 408->407
                                                            APIs
                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C6F450
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 9ae30c255815249494ad919121ebc4b12620fb541acdd4ac2e1e8a6b723d4c04
                                                            • Instruction ID: 4f18a2f5e050be13286d7f7a1ec6a24f5200a4660adb41e90a63a1b5717a71c9
                                                            • Opcode Fuzzy Hash: 9ae30c255815249494ad919121ebc4b12620fb541acdd4ac2e1e8a6b723d4c04
                                                            • Instruction Fuzzy Hash: F32126759003499FDB10DFAAD881BEEBBF5FF48310F10842EE919A7640C7789944CBA4
                                                            Function 06C6F4A8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 412 6c6f4a8-6c6f53d ReadProcessMemory 416 6c6f546-6c6f576 412->416 417 6c6f53f-6c6f545 412->417 417->416
                                                            APIs
                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06C6F530
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 20b037eb0522293e3ebe3734390a082e7fc9bdeceeb3aecc0f4ad5eced86f72d
                                                            • Instruction ID: 2faa5d2bd9ce8081aa5a1251ad4ea393d852b198db446e2cc68d11b9668c1946
                                                            • Opcode Fuzzy Hash: 20b037eb0522293e3ebe3734390a082e7fc9bdeceeb3aecc0f4ad5eced86f72d
                                                            • Instruction Fuzzy Hash: C421157180034A9FDB10DFAAD881ADEBBF5FF48310F50842AE559A3240D77899418BA4
                                                            Function 06C6F220 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 421 6c6f220-6c6f273 424 6c6f275-6c6f281 421->424 425 6c6f283-6c6f2b3 Wow64SetThreadContext 421->425 424->425 428 6c6f2b5-6c6f2bb 425->428 429 6c6f2bc-6c6f2ec 425->429 428->429
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6F2A6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 7471a5ff89430c4570c3f5dc53d295770185253e88366bccf2a495fd82eff095
                                                            • Instruction ID: 19566a204331dcf93fc61f270b05f311e3558397270f60736a2be2db954c795c
                                                            • Opcode Fuzzy Hash: 7471a5ff89430c4570c3f5dc53d295770185253e88366bccf2a495fd82eff095
                                                            • Instruction Fuzzy Hash: 6B214A75D0034A9FDB50DFAAC4857DEBBF5AF48214F10842DE459A7240C7789945CFA4
                                                            Function 009BBC40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 433 9bbc40-9bd844 DuplicateHandle 435 9bd84d-9bd86a 433->435 436 9bd846-9bd84c 433->436 436->435
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009BD776,?,?,?,?,?), ref: 009BD837
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 0e5044bbe995cb9a47a4c62d57c84f94cc8eab336684626498c557af05700f76
                                                            • Instruction ID: dea3bec201218c1a82bb5e631b5e710767a8fc65bbee7164768210fa64d37a0f
                                                            • Opcode Fuzzy Hash: 0e5044bbe995cb9a47a4c62d57c84f94cc8eab336684626498c557af05700f76
                                                            • Instruction Fuzzy Hash: BB21E7B5901349AFDB10CF9AD584ADEFBF9EB48320F14841AE918A3350D374A951CFA4
                                                            Function 009BD7A9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 439 9bd7a9-9bd844 DuplicateHandle 440 9bd84d-9bd86a 439->440 441 9bd846-9bd84c 439->441 441->440
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009BD776,?,?,?,?,?), ref: 009BD837
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 7f2bbf0ae4c50fed9094b49449347c18ff4d68b1d8fd6add923de718296046f3
                                                            • Instruction ID: a7e2db0a9ac86496a94b710b55ef31eccf0e02cfe2ec91401ca2fd9210c2b6aa
                                                            • Opcode Fuzzy Hash: 7f2bbf0ae4c50fed9094b49449347c18ff4d68b1d8fd6add923de718296046f3
                                                            • Instruction Fuzzy Hash: 9C21E5B5D013499FDB10CFAAD584ADEFBF5EB48320F14841AE918A3350D3749955CFA1
                                                            Function 06C6F4B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 455 6c6f4b0-6c6f53d ReadProcessMemory 458 6c6f546-6c6f576 455->458 459 6c6f53f-6c6f545 455->459 459->458
                                                            APIs
                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06C6F530
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 6bd8c19f6aa3c9e27a949c4ab2c36b886029061da416efb931823d1289e3c269
                                                            • Instruction ID: 626c0e5f85a0c2af14a23495469d7851613d0333e69ddf58b63414270988672c
                                                            • Opcode Fuzzy Hash: 6bd8c19f6aa3c9e27a949c4ab2c36b886029061da416efb931823d1289e3c269
                                                            • Instruction Fuzzy Hash: 7A2105718003499FDB10DFAAD880BEEFBF5FF48310F508429E559A7240C7789941DBA4
                                                            Function 06C6F228 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 444 6c6f228-6c6f273 446 6c6f275-6c6f281 444->446 447 6c6f283-6c6f2b3 Wow64SetThreadContext 444->447 446->447 450 6c6f2b5-6c6f2bb 447->450 451 6c6f2bc-6c6f2ec 447->451 450->451
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6F2A6
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 5006c170d5c2a206c204fb74ca0484fe10f6f25cd3c0833ece81d0a3b5a13654
                                                            • Instruction ID: 3f85214608a26abcee1b1cdcc24d710a8deebe47aabe4085f4de9cf0de66418c
                                                            • Opcode Fuzzy Hash: 5006c170d5c2a206c204fb74ca0484fe10f6f25cd3c0833ece81d0a3b5a13654
                                                            • Instruction Fuzzy Hash: ED213775D0034A8FDB50DFAAC4857AEBBF5AF88224F14842DD419A7240CB789945CFA4
                                                            Function 06C6F300 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06C6F36E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: b32bf26d587b80fed3e84354e017a6e2389b7f3b1dfd0bf2b5045361af28b72b
                                                            • Instruction ID: 979a1b3c5fc570977f86ac77e33dd00a6d214ccb26cb0d34134b6610c5cf277e
                                                            • Opcode Fuzzy Hash: b32bf26d587b80fed3e84354e017a6e2389b7f3b1dfd0bf2b5045361af28b72b
                                                            • Instruction Fuzzy Hash: 4C1156718003499FDB10DFAAC844BDEBBF9EF88320F108819E525A7250C7799940CFA4
                                                            Function 06C6F170 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: efb4079b81563196315d1508e945dc98a463eb4cc7225eab3ef9a9d6f5f9b4c5
                                                            • Instruction ID: 38130c164f77e77cfcf3516c1b32d71d9762e4a590f1bd1112bcf8e43938500a
                                                            • Opcode Fuzzy Hash: efb4079b81563196315d1508e945dc98a463eb4cc7225eab3ef9a9d6f5f9b4c5
                                                            • Instruction Fuzzy Hash: 2D1179B190034A8FDB20DFAAD4447DEFBF5AF88324F20881DD459A7240C7399545CBA4
                                                            Function 06C6F178 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: f602e358310ca5e54c9b088d21155c2e32c5dbbba6f971ae46003449dc70c306
                                                            • Instruction ID: 82ebc992fbd61aecd9f9fd127696c680db45488b1514884bde6a5183856cbf16
                                                            • Opcode Fuzzy Hash: f602e358310ca5e54c9b088d21155c2e32c5dbbba6f971ae46003449dc70c306
                                                            • Instruction Fuzzy Hash: AF1158B1D003498FDB10DFAAC84479EFBF9AB88720F20881DD419A7240CB79A541CBA4
                                                            Function 009BB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 009BB11E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 412e80bf122f9ecd1f407e0fe1860c6a722310da3b8361f7784f44ca9a6d01b4
                                                            • Instruction ID: 4ef2f93714149d861f570aa598b46fbcae4131bb90ebb2a582291237b384c906
                                                            • Opcode Fuzzy Hash: 412e80bf122f9ecd1f407e0fe1860c6a722310da3b8361f7784f44ca9a6d01b4
                                                            • Instruction Fuzzy Hash: A61113B5C003498FCB10CF9AD944BDEFBF8EB88724F10841AD419A7240C3B9A545CFA1
                                                            Function 0B6E18F1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 0B6E1955
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1469250766.000000000B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B6E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_b6e0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: e3076f5d0bf5c1c5e454cbad307505d578303ed6cf73a1a49e90f389b6fd55cf
                                                            • Instruction ID: f85649d209482046b78e517bcc0f99b3d694da425f27c9b55cb700f2cd7119db
                                                            • Opcode Fuzzy Hash: e3076f5d0bf5c1c5e454cbad307505d578303ed6cf73a1a49e90f389b6fd55cf
                                                            • Instruction Fuzzy Hash: AF11F2B580034A9FDB10DF9AD885BDEFBF8FB48720F108819E569A3240C375A544CFA1
                                                            Function 0B6E18F8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 0B6E1955
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1469250766.000000000B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B6E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_b6e0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 73e4414dfbce55dfe2117ab17203c9736a2314c54eed6a8c6e18599ab8b3878f
                                                            • Instruction ID: 4095eb7f719615926fe68f9e579aa86f9a774587caf453061d147eae044f1bb0
                                                            • Opcode Fuzzy Hash: 73e4414dfbce55dfe2117ab17203c9736a2314c54eed6a8c6e18599ab8b3878f
                                                            • Instruction Fuzzy Hash: 9C11C2B58003499FDB10DF9AD885BDEFBF8FB48720F108419D559A7640C375A544CFA5
                                                            Function 0093D3D8 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1460969596.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_93d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 13d9c3b79121b80207b5e53dd4482bdb4b4d7c8bd5b595e4218791bc980e868a
                                                            • Instruction ID: 4ed567422153ad3fc216866f3502656ba4983ec5c84f3eddbead34c05039747c
                                                            • Opcode Fuzzy Hash: 13d9c3b79121b80207b5e53dd4482bdb4b4d7c8bd5b595e4218791bc980e868a
                                                            • Instruction Fuzzy Hash: FB212875605304DFDB05DF10E9D8B16BB69FB94324F20C569D8090B2A6C33AE856CFA2
                                                            Function 0093D4C4 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1460969596.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_93d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a68fc6e6a72b4e8c41545a71b413e9ed357bf24957ff7bb158a879f27f767987
                                                            • Instruction ID: 2ab9cc5c50d64d340102927791a611bf4b5397057702b500f97fa31efdfcc519
                                                            • Opcode Fuzzy Hash: a68fc6e6a72b4e8c41545a71b413e9ed357bf24957ff7bb158a879f27f767987
                                                            • Instruction Fuzzy Hash: ED210671605340DFDB05DF14E9D4B26BF66FBC4318F20C569E8050B25AC33AD856CBA2
                                                            Function 0094D1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461094185.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_94d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76f15e432d887a231834b5ce7dff514001fce1e09c83de35eca570422f1c0f6b
                                                            • Instruction ID: 8c96e330a7c34c44f1f662a8a90e20091127bdfeb41056d1a8e2318d754fa3e5
                                                            • Opcode Fuzzy Hash: 76f15e432d887a231834b5ce7dff514001fce1e09c83de35eca570422f1c0f6b
                                                            • Instruction Fuzzy Hash: C621D079605304AFDB05DF10D9C4F26BBA5FB88314F20CA6DE8494B292C3BAD846CA61
                                                            Function 0094D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461094185.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_94d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b0e02aeda78413b707bb5f5005c0aed5a48dc94bd96ce865f70521d7a573c81
                                                            • Instruction ID: 7238bc8c94b37b7a03dace267a4697bbb8587d86fc4a5c06598fce3787128541
                                                            • Opcode Fuzzy Hash: 9b0e02aeda78413b707bb5f5005c0aed5a48dc94bd96ce865f70521d7a573c81
                                                            • Instruction Fuzzy Hash: 2B21D079605304DFDB14DF14D984F26BB65FB84714F20C96DD84A4B286C37AD847CA62
                                                            Function 0094D006 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461094185.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_94d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12f292f1b9a23732f7822b22764f166b84f9983e8cd9c2ae75ad2923c1bc8cb4
                                                            • Instruction ID: 906ce4367e2150228908d6aa8ad60cc48a4ec608e5f9105fe415fd0a4f609b8f
                                                            • Opcode Fuzzy Hash: 12f292f1b9a23732f7822b22764f166b84f9983e8cd9c2ae75ad2923c1bc8cb4
                                                            • Instruction Fuzzy Hash: 2C2150795093808FCB16CF24D994B15BF71EB46314F28C5DAD8498F6A7C33A980ACB62
                                                            Function 0093D3D3 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1460969596.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_93d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 0ef33c34245f52f2e4230fd3ed6c78e9ba58f51d23c50dd4209116dfa4d0d3d3
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 2011D376504240DFDB16CF14E5C4B16BF72FB94324F24C6A9D8490B6A6C33AE856CFA2
                                                            Function 0093D4BF Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1460969596.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_93d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 61417235ee2c953608f2e7072d32255299602178e980baa078c5e88c4b3d4d05
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 84112676504280CFCB02CF10D5C0B16BF72FB84324F24C6A9E8490B25AC33AD856CFA2
                                                            Function 0094D1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461094185.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_94d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: 17921e54122de47fd8d6c209c59b78cbda3a132d51b6ac80d9e8525c1ae973ec
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: A711DD79504280DFDB01CF10C5C4B15FBB2FB84324F24C6ADD8494B296C37AD80ACB61
                                                            Function 0093D745 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1460969596.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_93d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 671012c0d0f8bd92c87842ad4e1aa558155bcd587982a5b44efe49ad29f4a0b6
                                                            • Instruction ID: 37c217e2ddc95033f5e9d9edb98a1f4d142e18bd0bce0d5cc3c7381f515f107d
                                                            • Opcode Fuzzy Hash: 671012c0d0f8bd92c87842ad4e1aa558155bcd587982a5b44efe49ad29f4a0b6
                                                            • Instruction Fuzzy Hash: C501F7B10053449BF7105A25DD94B66BBDCEF41765F14C51AED0A4A282C23D9841CF72
                                                            Function 0093D744 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1460969596.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_93d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05ba95df834f4844680aa95116fd2b6bed5e9f00b9c5116e3d0291ebaedab50a
                                                            • Instruction ID: 4d08cf42c94d226b201ccf89fc4f82973c0b86ae818aa82711af2e09f08c0169
                                                            • Opcode Fuzzy Hash: 05ba95df834f4844680aa95116fd2b6bed5e9f00b9c5116e3d0291ebaedab50a
                                                            • Instruction Fuzzy Hash: 49F0CD72405344AFE7108E16DC88B62FFDCEB91734F18C05AED094A286C279A840CFB1

                                                            Non-executed Functions

                                                            Function 06C6C4A0 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e192ce121977aa5609f3de50ce508d36dead876ae093ce4eb7f2f6bc5c9df4b
                                                            • Instruction ID: 20924b7f3ec2cab6c4f3401bda845908bb1847e863372ddb11dcf56c84b702fc
                                                            • Opcode Fuzzy Hash: 2e192ce121977aa5609f3de50ce508d36dead876ae093ce4eb7f2f6bc5c9df4b
                                                            • Instruction Fuzzy Hash: 56E11D74E002198FDB14DF99C5809AEFBF2FF89305F248169E858AB356D730A942CF65
                                                            Function 06C6E550 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7456c3cd1502c8a094d894c89b3b8f5bf4f8b3e3cad888649c6d356a02f98587
                                                            • Instruction ID: 982a163c46ddc433cdf14790869157acfafb89b2ed6808aae0e0e10062f393a7
                                                            • Opcode Fuzzy Hash: 7456c3cd1502c8a094d894c89b3b8f5bf4f8b3e3cad888649c6d356a02f98587
                                                            • Instruction Fuzzy Hash: BBE12E74E042198FDB14DF99C5809AEFBF2FF89305F24816AE818AB356D730A941CF65
                                                            Function 06C6D148 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36b5883bf2616d67c569eecf8d13323b8a643f9f526bb42af864077efd8d6b71
                                                            • Instruction ID: 4ab1b1faec54a7a9a43f9bcf8da46ceaf7653e27c473735e5dc08e0e612dde92
                                                            • Opcode Fuzzy Hash: 36b5883bf2616d67c569eecf8d13323b8a643f9f526bb42af864077efd8d6b71
                                                            • Instruction Fuzzy Hash: 31E1E974E002198FDB14DFA9C5809AEBBF2FF89305F248169E819AB356D730A941CF65
                                                            Function 06C6CD10 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa82ce4f0970a036073b8c4c1a7f08e74f13cbe476c0f7c3bceb64e62e3e5841
                                                            • Instruction ID: c0085af6fd3761312c5f7f63a1f168454e3a9077f7c061428f87b8a37f4904cf
                                                            • Opcode Fuzzy Hash: fa82ce4f0970a036073b8c4c1a7f08e74f13cbe476c0f7c3bceb64e62e3e5841
                                                            • Instruction Fuzzy Hash: DFE13E74E002198FDB14DF99C5809AEFBF2FF89305F248169E859AB356C730A942CF61
                                                            Function 06C6C8D8 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec6b7e11aa7ae6873797798783349c307d0879a15bce3a2e453764f24aeaa676
                                                            • Instruction ID: 4076283e5d4f3553815aa7fed87f8026c00717299f7176b1c18a2e6715bf0539
                                                            • Opcode Fuzzy Hash: ec6b7e11aa7ae6873797798783349c307d0879a15bce3a2e453764f24aeaa676
                                                            • Instruction Fuzzy Hash: 3DE11E74E002198FDB14DF99C580AADFBF2FF89304F248169E859AB356D7309942CFA5
                                                            Function 0B6E3E18 Relevance: .3, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1469250766.000000000B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B6E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_b6e0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4f8f65a2e5e22e919f79965fe3ea8897cd2ae3e6c729e249d6633b0628bea7c
                                                            • Instruction ID: 7d42eddfdc04c3a118188a9c2af78319acb9c1ddeb942cbd990fa87494d157df
                                                            • Opcode Fuzzy Hash: b4f8f65a2e5e22e919f79965fe3ea8897cd2ae3e6c729e249d6633b0628bea7c
                                                            • Instruction Fuzzy Hash: A6D1A174A016088FDB08DF69D598AADB7F1BF8C701F2580A9E419AB371DB31AD41CF60
                                                            Function 06C63883 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 645f600199bb2479f1b90d1e63e36d6b4d5be4cfb3edb5b0988ccf73e85068d2
                                                            • Instruction ID: 37a755b11cb1f10906d4bb46b866d695f94e5661a91107391c1eeab6c7dce15f
                                                            • Opcode Fuzzy Hash: 645f600199bb2479f1b90d1e63e36d6b4d5be4cfb3edb5b0988ccf73e85068d2
                                                            • Instruction Fuzzy Hash: A4D1F635D1075ACACB11EB64D990699B7B1FFD6300F20C79AE50A3B215EB70AAC4CF91
                                                            Function 009BD524 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1461474737.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_9b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f9dd84fb664cbb7061c6265f27423339c93eccea9e3a29590a22a5c138e8097
                                                            • Instruction ID: d31cdab2051d847b40f0882436bc57aadeb2868a9dfa72f64cb84f4f1295ddab
                                                            • Opcode Fuzzy Hash: 9f9dd84fb664cbb7061c6265f27423339c93eccea9e3a29590a22a5c138e8097
                                                            • Instruction Fuzzy Hash: B7A14D32E00219DFCF05DFA4C9945DEB7B6FF85310B15857AE805AB261DB35E916CB40
                                                            Function 06C63888 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29ec9fc1680834030e34b0eb0595987780cd6fc54c443c0aed11229acc254ea4
                                                            • Instruction ID: 50cac43ed89b4138e8b6eb702773a5472c9969ea6522b114f93c18ca70560dfc
                                                            • Opcode Fuzzy Hash: 29ec9fc1680834030e34b0eb0595987780cd6fc54c443c0aed11229acc254ea4
                                                            • Instruction Fuzzy Hash: DED1E635D1075ACACB11EB64D990699B7B1FFD6300F20C79AE5093B215EB70AAC4CF91
                                                            Function 06C6E53F Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c380d377b4ee670ba3711c44abfcfe0653d55cef162554dd26f2f8d332e198a
                                                            • Instruction ID: ddf78f62c9bfe69fa5fd46d1edebfedf2ec5d768973156d8b0ed5ce42c9c4dc4
                                                            • Opcode Fuzzy Hash: 4c380d377b4ee670ba3711c44abfcfe0653d55cef162554dd26f2f8d332e198a
                                                            • Instruction Fuzzy Hash: 6B511074E042198FDB14CFAAC5805AEFBF2FF89304F2481AAD558AB315D7319A42CF65
                                                            Function 06C6CD08 Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1467872451.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6c60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbd5d9e5aac3acd23fd8547319c4950b765e83b832521bb7db7bb6b94234231a
                                                            • Instruction ID: f3b19f6a77b3d5341517b8e69a09f143ab6e2b5264c70e41f14b810f5147fd53
                                                            • Opcode Fuzzy Hash: cbd5d9e5aac3acd23fd8547319c4950b765e83b832521bb7db7bb6b94234231a
                                                            • Instruction Fuzzy Hash: 58511C74E002198FDB14CFAAC5805AEFBF2FF89304F248169D458AB315D7319A42CFA1

                                                            Execution Graph

                                                            Execution Coverage:10%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:118
                                                            Total number of Limit Nodes:17
                                                            execution_graph 39090 15b0848 39091 15b084e 39090->39091 39092 15b091b 39091->39092 39096 6d51b70 39091->39096 39100 6d51b60 39091->39100 39104 15b1343 39091->39104 39097 6d51b7f 39096->39097 39108 6d5175c 39097->39108 39101 6d51b70 39100->39101 39102 6d5175c GetModuleHandleW 39101->39102 39103 6d51ba0 39102->39103 39103->39091 39106 15b134e 39104->39106 39105 15b1440 39105->39091 39106->39105 39162 15b7e71 39106->39162 39109 6d51767 39108->39109 39112 6d5271c 39109->39112 39113 6d52727 39112->39113 39114 6d5384c 39113->39114 39116 6d554e0 39113->39116 39117 6d55501 39116->39117 39118 6d55525 39117->39118 39120 6d55690 39117->39120 39118->39114 39121 6d5569d 39120->39121 39122 6d556d6 39121->39122 39124 6d5416c 39121->39124 39122->39118 39125 6d54177 39124->39125 39127 6d55748 39125->39127 39128 6d541a0 39125->39128 39127->39127 39129 6d541ab 39128->39129 39135 6d541b0 39129->39135 39131 6d557b7 39139 6d5ac58 39131->39139 39145 6d5ac57 39131->39145 39132 6d557f1 39132->39127 39136 6d541bb 39135->39136 39137 6d56bb8 39136->39137 39138 6d554e0 GetModuleHandleW 39136->39138 39137->39131 39138->39137 39141 6d5ac89 39139->39141 39142 6d5acd5 39139->39142 39140 6d5ac95 39140->39132 39141->39140 39151 6d5aed0 39141->39151 39154 6d5aec0 39141->39154 39142->39132 39147 6d5ac89 39145->39147 39148 6d5acd5 39145->39148 39146 6d5ac95 39146->39132 39147->39146 39149 6d5aed0 GetModuleHandleW 39147->39149 39150 6d5aec0 GetModuleHandleW 39147->39150 39148->39132 39149->39148 39150->39148 39157 6d5af1f 39151->39157 39152 6d5aeda 39152->39142 39155 6d5aeda 39154->39155 39156 6d5af1f GetModuleHandleW 39154->39156 39155->39142 39156->39155 39158 6d5af54 39157->39158 39159 6d5af31 39157->39159 39158->39152 39159->39158 39160 6d5b158 GetModuleHandleW 39159->39160 39161 6d5b185 39160->39161 39161->39152 39163 15b7e7b 39162->39163 39164 15b7f31 39163->39164 39168 6d6f96b 39163->39168 39173 6d6f978 39163->39173 39178 6d6fbb8 39163->39178 39164->39106 39169 6d6f98d 39168->39169 39170 6d6fba2 39169->39170 39171 6d6fbc7 GlobalMemoryStatusEx 39169->39171 39172 6d6fbc8 GlobalMemoryStatusEx 39169->39172 39170->39164 39171->39169 39172->39169 39174 6d6f98d 39173->39174 39175 6d6fba2 39174->39175 39176 6d6fbc8 GlobalMemoryStatusEx 39174->39176 39177 6d6fbc7 GlobalMemoryStatusEx 39174->39177 39175->39164 39176->39174 39177->39174 39179 6d6fbbe 39178->39179 39181 6d6f98d 39178->39181 39179->39164 39180 6d6fba2 39180->39164 39181->39180 39182 6d6fbc7 GlobalMemoryStatusEx 39181->39182 39183 6d6fbc8 GlobalMemoryStatusEx 39181->39183 39182->39181 39183->39181 39045 6d5d0f0 39046 6d5d158 CreateWindowExW 39045->39046 39048 6d5d214 39046->39048 39048->39048 39184 6d52ac0 DuplicateHandle 39185 6d52b56 39184->39185 39049 156d030 39050 156d048 39049->39050 39051 156d0a2 39050->39051 39057 6d5d2a8 39050->39057 39061 6d5d2f8 39050->39061 39066 6d5e3f8 39050->39066 39070 6d5d297 39050->39070 39074 6d5a4c4 39050->39074 39058 6d5d2ce 39057->39058 39059 6d5a4c4 CallWindowProcW 39058->39059 39060 6d5d2ef 39059->39060 39060->39051 39062 6d5d307 39061->39062 39063 6d5d28f 39061->39063 39062->39051 39064 6d5a4c4 CallWindowProcW 39063->39064 39065 6d5d2ef 39064->39065 39065->39051 39067 6d5e408 39066->39067 39069 6d5e459 39067->39069 39078 6d5a5ec CallWindowProcW 39067->39078 39071 6d5d2a5 39070->39071 39072 6d5a4c4 CallWindowProcW 39071->39072 39073 6d5d2ef 39072->39073 39073->39051 39075 6d5a4cf 39074->39075 39077 6d5e459 39075->39077 39079 6d5a5ec CallWindowProcW 39075->39079 39078->39069 39079->39077 39186 6d5f80f 39187 6d5f830 39186->39187 39188 6d5f872 39187->39188 39189 6d5f91c 39187->39189 39191 6d5f8ca CallWindowProcW 39188->39191 39192 6d5f879 39188->39192 39190 6d5a4c4 CallWindowProcW 39189->39190 39190->39192 39191->39192 39080 6d52878 39081 6d528be GetCurrentProcess 39080->39081 39083 6d52910 GetCurrentThread 39081->39083 39084 6d52909 39081->39084 39085 6d52946 39083->39085 39086 6d5294d GetCurrentProcess 39083->39086 39084->39083 39085->39086 39089 6d52983 39086->39089 39087 6d529ab GetCurrentThreadId 39088 6d529dc 39087->39088 39089->39087

                                                            Executed Functions

                                                            Function 06D62AE8 Relevance: .9, Instructions: 932COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4178868259224fbfe6939c0d3e4582a5decb105edd72735193f101f25ac2236
                                                            • Instruction ID: 4939c37d1b8dfb22c17b65eede6e92b717d05e98b40b7e3fcdb6b0f2cd4ea80e
                                                            • Opcode Fuzzy Hash: c4178868259224fbfe6939c0d3e4582a5decb105edd72735193f101f25ac2236
                                                            • Instruction Fuzzy Hash: A8823B30E00619CFDB54DF65C494A9DB7B2FF89300F55D6AAE409AB260EB35ED85CB80
                                                            Function 06D6B248 Relevance: .6, Instructions: 569COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e4c1c1ffcb2bf0f949f31b60a198819aad685fd1c9900ffa2e986646df6aaf7
                                                            • Instruction ID: a11f85d0138e13f5570a3454f190d68b605c49fa0bb9ea0b2aa2d45ad16745d1
                                                            • Opcode Fuzzy Hash: 6e4c1c1ffcb2bf0f949f31b60a198819aad685fd1c9900ffa2e986646df6aaf7
                                                            • Instruction Fuzzy Hash: 61223030E102098FEFA4DB6AD4907ADB7B6FB89310F648527E405EB391DB35DC918B91
                                                            Function 06D52872 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06D528F6
                                                            • GetCurrentThread.KERNEL32 ref: 06D52933
                                                            • GetCurrentProcess.KERNEL32 ref: 06D52970
                                                            • GetCurrentThreadId.KERNEL32 ref: 06D529C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID: B@a
                                                            • API String ID: 2063062207-462256014
                                                            • Opcode ID: 2c272d738638bd771b43c199dbd0d2af0c0b1b940e91d25519573f45f99892c4
                                                            • Instruction ID: a888389859d1720449f7d72004f084973f24b32bbcdf623943ad2d1c56946c85
                                                            • Opcode Fuzzy Hash: 2c272d738638bd771b43c199dbd0d2af0c0b1b940e91d25519573f45f99892c4
                                                            • Instruction Fuzzy Hash: 1E5158B090034ACFDB54DFAAD548B9EBBF1BF88314F248459E809A73A0D7355944CF65
                                                            Function 06D52878 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06D528F6
                                                            • GetCurrentThread.KERNEL32 ref: 06D52933
                                                            • GetCurrentProcess.KERNEL32 ref: 06D52970
                                                            • GetCurrentThreadId.KERNEL32 ref: 06D529C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID: B@a
                                                            • API String ID: 2063062207-462256014
                                                            • Opcode ID: 514b3e287c13056ce86fa62b44ec869c46ea4c940b91cb11656bae678812cb0c
                                                            • Instruction ID: 7695a2512474b0d42fa000a49af28ec7a523bcb4a11b322463f8639a6b36b090
                                                            • Opcode Fuzzy Hash: 514b3e287c13056ce86fa62b44ec869c46ea4c940b91cb11656bae678812cb0c
                                                            • Instruction Fuzzy Hash: A85137B090034A8FDB54DFAAD948B9EBBF1BF88310F248459E409A73A0D7755944CF65
                                                            Function 06D5D0E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 52 6d5d0e4-6d5d156 54 6d5d161-6d5d168 52->54 55 6d5d158-6d5d15e 52->55 56 6d5d173-6d5d1ab 54->56 57 6d5d16a-6d5d170 54->57 55->54 58 6d5d1b3-6d5d212 CreateWindowExW 56->58 57->56 59 6d5d214-6d5d21a 58->59 60 6d5d21b-6d5d253 58->60 59->60 64 6d5d255-6d5d258 60->64 65 6d5d260 60->65 64->65 66 6d5d261 65->66 66->66
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D5D202
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID: B@a$B@a
                                                            • API String ID: 716092398-212933815
                                                            • Opcode ID: 0fc06ed91ba3e974ff86b7c57be98a301fdd6fea69741b47a087ed92d3247117
                                                            • Instruction ID: 0d9f6c030603b052971f7378c2197658ea907b00aa7c32cac19dba7e9b9503f1
                                                            • Opcode Fuzzy Hash: 0fc06ed91ba3e974ff86b7c57be98a301fdd6fea69741b47a087ed92d3247117
                                                            • Instruction Fuzzy Hash: A751C0B1D00349DFDF14CF9AC884ADEBBB6BF88310F25812AE819AB250D7759945CF94
                                                            Function 06D5D0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 67 6d5d0f0-6d5d156 68 6d5d161-6d5d168 67->68 69 6d5d158-6d5d15e 67->69 70 6d5d173-6d5d212 CreateWindowExW 68->70 71 6d5d16a-6d5d170 68->71 69->68 73 6d5d214-6d5d21a 70->73 74 6d5d21b-6d5d253 70->74 71->70 73->74 78 6d5d255-6d5d258 74->78 79 6d5d260 74->79 78->79 80 6d5d261 79->80 80->80
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D5D202
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID: B@a$B@a
                                                            • API String ID: 716092398-212933815
                                                            • Opcode ID: 51c1022913e67c37b87bd77aa9ce03208c2a96799cf81ff0b03c9ac2cbd7ecbc
                                                            • Instruction ID: d6bf6dbbd9bf09bac3035b4accd9cbd22ac0359a09c6d96ba209b2cf9694efaf
                                                            • Opcode Fuzzy Hash: 51c1022913e67c37b87bd77aa9ce03208c2a96799cf81ff0b03c9ac2cbd7ecbc
                                                            • Instruction Fuzzy Hash: 1641A0B1D00349DFDF14CF9AC884ADEBBB6BF88310F25812AE819AB250D7759945CF94
                                                            Function 06D5AF1F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 81 6d5af1f-6d5af2f 82 6d5af31-6d5af3e call 6d5a2e4 81->82 83 6d5af5b-6d5af5f 81->83 88 6d5af54 82->88 89 6d5af40 82->89 84 6d5af61-6d5af6b 83->84 85 6d5af73-6d5afb4 83->85 84->85 92 6d5afb6-6d5afbe 85->92 93 6d5afc1-6d5afcf 85->93 88->83 137 6d5af46 call 6d5b1a9 89->137 138 6d5af46 call 6d5b1b8 89->138 92->93 95 6d5afd1-6d5afd6 93->95 96 6d5aff3-6d5aff5 93->96 94 6d5af4c-6d5af4e 94->88 97 6d5b090-6d5b150 94->97 99 6d5afe1 95->99 100 6d5afd8-6d5afdf call 6d5a2f0 95->100 98 6d5aff8-6d5afff 96->98 132 6d5b152-6d5b155 97->132 133 6d5b158-6d5b183 GetModuleHandleW 97->133 103 6d5b001-6d5b009 98->103 104 6d5b00c-6d5b013 98->104 102 6d5afe3-6d5aff1 99->102 100->102 102->98 103->104 106 6d5b015-6d5b01d 104->106 107 6d5b020-6d5b029 call 6d5348c 104->107 106->107 112 6d5b036-6d5b03b 107->112 113 6d5b02b-6d5b033 107->113 114 6d5b03d-6d5b044 112->114 115 6d5b059-6d5b066 112->115 113->112 114->115 117 6d5b046-6d5b056 call 6d58900 call 6d5a300 114->117 122 6d5b089-6d5b08f 115->122 123 6d5b068-6d5b086 115->123 117->115 123->122 132->133 134 6d5b185-6d5b18b 133->134 135 6d5b18c-6d5b1a0 133->135 134->135 137->94 138->94
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06D5B176
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: B@a
                                                            • API String ID: 4139908857-462256014
                                                            • Opcode ID: 63998a40b0aece5d02ce57b12606a7ab4b767631122d704ac9863b19a0b7adc3
                                                            • Instruction ID: 6624901d0e731012df9e1837947ea32ae90642532c0c0a069f8b777afde98ff8
                                                            • Opcode Fuzzy Hash: 63998a40b0aece5d02ce57b12606a7ab4b767631122d704ac9863b19a0b7adc3
                                                            • Instruction Fuzzy Hash: BE714870A00B058FDBA4DF2AD55175ABBF1FF88200F048A2EE89AD7A50D775E845CB91
                                                            Function 06D5A5EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 139 6d5a5ec-6d5f86c 142 6d5f872-6d5f877 139->142 143 6d5f91c-6d5f93c call 6d5a4c4 139->143 145 6d5f879-6d5f8b0 142->145 146 6d5f8ca-6d5f902 CallWindowProcW 142->146 150 6d5f93f-6d5f94c 143->150 153 6d5f8b2-6d5f8b8 145->153 154 6d5f8b9-6d5f8c8 145->154 147 6d5f904-6d5f90a 146->147 148 6d5f90b-6d5f91a 146->148 147->148 148->150 153->154 154->150
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 06D5F8F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID: B@a
                                                            • API String ID: 2714655100-462256014
                                                            • Opcode ID: 694cdf86cff34d55a5d8c63cb3f2c03effdb3629cbe4ce47049ed9bd94396d2b
                                                            • Instruction ID: f2e25606f74b465aa1cda6e34202cc8b25571f87d10b253311338ca4f8ec0c16
                                                            • Opcode Fuzzy Hash: 694cdf86cff34d55a5d8c63cb3f2c03effdb3629cbe4ce47049ed9bd94396d2b
                                                            • Instruction Fuzzy Hash: 5A415BB4900309DFDB54DF9AC488BAABBF5FB88314F25C459D919AB361D734A841CFA0
                                                            Function 06D52AB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 156 6d52ab8-6d52b54 DuplicateHandle 157 6d52b56-6d52b5c 156->157 158 6d52b5d-6d52b7a 156->158 157->158
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06D52B47
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID: B@a
                                                            • API String ID: 3793708945-462256014
                                                            • Opcode ID: 648d5e2e5ba7630381bbc566f3ac39779561adb41a1ba7dd8c0be2c5cfc08697
                                                            • Instruction ID: 4ce941ceabcbc1a334a1e7c9e9db0f57c148051a960941c7a6ebd3a6a3579e53
                                                            • Opcode Fuzzy Hash: 648d5e2e5ba7630381bbc566f3ac39779561adb41a1ba7dd8c0be2c5cfc08697
                                                            • Instruction Fuzzy Hash: C921E3B59002499FDB10CFAAD884ADEBBF5FB48310F14842AE954A7750D374A955CFA0
                                                            Function 06D52AC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 161 6d52ac0-6d52b54 DuplicateHandle 162 6d52b56-6d52b5c 161->162 163 6d52b5d-6d52b7a 161->163 162->163
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06D52B47
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID: B@a
                                                            • API String ID: 3793708945-462256014
                                                            • Opcode ID: 4e59145ac5ea02488b59f0f067de86beb9e76c2d7429a3c31217ce4ae11793ca
                                                            • Instruction ID: 41c244cbaa69f1dc20f79e7aa6942209757a4971f8ef40dee855e09dc821f78d
                                                            • Opcode Fuzzy Hash: 4e59145ac5ea02488b59f0f067de86beb9e76c2d7429a3c31217ce4ae11793ca
                                                            • Instruction Fuzzy Hash: 5421E4B59002099FDB10CFAAD884ADEFBF9FB48310F14801AE954A3350D374A954CFA4
                                                            Function 015BE1C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 166 15be1c8-15bebac GlobalMemoryStatusEx 169 15bebae-15bebb4 166->169 170 15bebb5-15bebdd 166->170 169->170
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,015BEAB2), ref: 015BEB9F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3894917967.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_15b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID: B@a
                                                            • API String ID: 1890195054-462256014
                                                            • Opcode ID: 52f6380595fd06c16684923e485002029d738731112cf53fabc68ab754d05083
                                                            • Instruction ID: d06f2b1c31376fc7ed8b45cdb5a45d30cc99b0da9452cb95030a78d7a17affa9
                                                            • Opcode Fuzzy Hash: 52f6380595fd06c16684923e485002029d738731112cf53fabc68ab754d05083
                                                            • Instruction Fuzzy Hash: E21136B1C0065A9BDB10DF9AC445BDEFBF4FF48210F14816AE914A7240D778A904CFA1
                                                            Function 015BEB33 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 173 15beb33-15beb76 174 15beb7e-15bebac GlobalMemoryStatusEx 173->174 175 15bebae-15bebb4 174->175 176 15bebb5-15bebdd 174->176 175->176
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,015BEAB2), ref: 015BEB9F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3894917967.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_15b0000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID: B@a
                                                            • API String ID: 1890195054-462256014
                                                            • Opcode ID: 1e800951397fd570bd1241869fff6a706d3a9a9f80c5dec03c6d2cf042328d0d
                                                            • Instruction ID: 6b7ebe92090bcb9aa3b9ee31dbd9831ab6321d6a2947e80b45ccdc133ad93d79
                                                            • Opcode Fuzzy Hash: 1e800951397fd570bd1241869fff6a706d3a9a9f80c5dec03c6d2cf042328d0d
                                                            • Instruction Fuzzy Hash: 4D1114B1C0065A9FDB10DFAAC445BDEFBF5BF48320F14816AD818A7280D778A944CFA1
                                                            Function 06D5B110 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 179 6d5b110-6d5b150 180 6d5b152-6d5b155 179->180 181 6d5b158-6d5b183 GetModuleHandleW 179->181 180->181 182 6d5b185-6d5b18b 181->182 183 6d5b18c-6d5b1a0 181->183 182->183
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06D5B176
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901419569.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d50000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: B@a
                                                            • API String ID: 4139908857-462256014
                                                            • Opcode ID: 00dabf28aa3707cf47c8d001728841ec6acf328af50819efdbc712fbcfa70dec
                                                            • Instruction ID: a007a36f2def031f32287dc22585812804f7cfd5a775bb4d6556101d116a0db8
                                                            • Opcode Fuzzy Hash: 00dabf28aa3707cf47c8d001728841ec6acf328af50819efdbc712fbcfa70dec
                                                            • Instruction Fuzzy Hash: 3411DFB5C006498FDB10DF9AC844B9EFBF4AB88220F15842AD829A7650C779A545CFA5
                                                            Function 06D658C0 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: b05ecdd11a369d1985cb95d1478559c05741298c7faffb5726fa7bc3d8081ab8
                                                            • Instruction ID: 8b3a8f309cefc8a61b9d904fd2bebc4307be2f4de2d880f251eaf8ae0f8e15d0
                                                            • Opcode Fuzzy Hash: b05ecdd11a369d1985cb95d1478559c05741298c7faffb5726fa7bc3d8081ab8
                                                            • Instruction Fuzzy Hash: 7DC1AF75F00219CFDF54DBA5D45069EBBB6FF88310F208169E802AB354DA32AD82CB90
                                                            Function 06D63878 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: B@a
                                                            • API String ID: 0-462256014
                                                            • Opcode ID: 59e6bee561715a8278f3247bb70f374de4c1da5eecda3f40b6972cdccaa34edc
                                                            • Instruction ID: 9128d7d3a9e862bbc115a84dd5b66fa133fc0d31d9a06ed3b4bf041c3b07c9a2
                                                            • Opcode Fuzzy Hash: 59e6bee561715a8278f3247bb70f374de4c1da5eecda3f40b6972cdccaa34edc
                                                            • Instruction Fuzzy Hash: 6D21C0B5D01259AFCB00DF9AD885ADEFBB4FB48714F10812AE918A7340C374A954CFA5
                                                            Function 06D63880 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: B@a
                                                            • API String ID: 0-462256014
                                                            • Opcode ID: e6f115ebc3885e406811d3069f61d9da1fb1ddd02649879c3232cef3655107c3
                                                            • Instruction ID: 1c0b5c67a2c393ea355940342663924e52050705d871d12c9c7c5bee32e0e467
                                                            • Opcode Fuzzy Hash: e6f115ebc3885e406811d3069f61d9da1fb1ddd02649879c3232cef3655107c3
                                                            • Instruction Fuzzy Hash: DA11CFB5D01259AFCB00DF9AD884ACEFBB4FB48310F10812AE918A7240C374A954CFA5
                                                            Function 06D6ACE0 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2471b1d67fe74bd772b26b5c70b41973992d1a9a6b8c2d68bbeb729bff12736
                                                            • Instruction ID: 40e10078a6d6a3884d263e5ab162324d86a2973429e96f28d8aea26500f4930a
                                                            • Opcode Fuzzy Hash: b2471b1d67fe74bd772b26b5c70b41973992d1a9a6b8c2d68bbeb729bff12736
                                                            • Instruction Fuzzy Hash: DCE17D30F1021A9FDB54DB69D8906AEB7B2FFC5201F14852AE806EB354EB35DC46CB91
                                                            Function 06D6B243 Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3dbd9be96c960ea9bf5574a1c8f99a40af8377971cb10cc81e1dd3fa0159a27
                                                            • Instruction ID: 2fd6c76af31242d6f28d69f30245177bd5300b90ce236730f6f5b67adbbc3c04
                                                            • Opcode Fuzzy Hash: f3dbd9be96c960ea9bf5574a1c8f99a40af8377971cb10cc81e1dd3fa0159a27
                                                            • Instruction Fuzzy Hash: 8CA15530F101099BEFA4DBAED4907AEB6A6FBC9310F604426F405EB391DB39DC519B91
                                                            Function 06D66D18 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 41bdd50e8dffeb9619ed9e69e648042dd0bfd502d0e79b5986b7dbca0869fd79
                                                            • Instruction ID: 247eddb69abbd0d965bccdb751642172db4cefd328c84b80a248cc5f65aeada6
                                                            • Opcode Fuzzy Hash: 41bdd50e8dffeb9619ed9e69e648042dd0bfd502d0e79b5986b7dbca0869fd79
                                                            • Instruction Fuzzy Hash: F3A18B30A00209CFDB64DB6AD594B5DBBF2FF84354F148569E81AAB391DB36EC41CB90
                                                            Function 06D68078 Relevance: .2, Instructions: 248COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6490487601e7cedc59a0cbbcf705f08af13a0273f31c2283fd96a482f6f96851
                                                            • Instruction ID: 4a850e762f93997de5f00af079ecff2657617eb90daad8d4f54e5a65b9a1c183
                                                            • Opcode Fuzzy Hash: 6490487601e7cedc59a0cbbcf705f08af13a0273f31c2283fd96a482f6f96851
                                                            • Instruction Fuzzy Hash: 83915C30B1061ACFDB54DF76D85066EB7A6FFC8214F108529E806DB354EB79EC429BA0
                                                            Function 06D69158 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2366ca92b6a1cb1d4998f69449253dbde6b9f2f8d979677d99c84f6e5ead9194
                                                            • Instruction ID: e67ffeaef4b1bb0b17ca352bab669a942687d356667b3464d66201ab05b8ade3
                                                            • Opcode Fuzzy Hash: 2366ca92b6a1cb1d4998f69449253dbde6b9f2f8d979677d99c84f6e5ead9194
                                                            • Instruction Fuzzy Hash: 14913B30B0021A8FDB94DF65D8607AEB7F6EFC9200F108569D80AEB354EA35DD468F91
                                                            Function 06D661F0 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23a18e5041c826704e4671bfafabd3ea48925e9e9e1602672f4824ab368cc823
                                                            • Instruction ID: 729aca8d092b138bd32ed04e0a2bfa5ad509e0a3cd6b3ca91d6fb022db63a09e
                                                            • Opcode Fuzzy Hash: 23a18e5041c826704e4671bfafabd3ea48925e9e9e1602672f4824ab368cc823
                                                            • Instruction Fuzzy Hash: 67619671F001214BDF54AB6EC84065EBADBEFD8610B15443AE80ADB3A0DE65ED4287D6
                                                            Function 06D642A1 Relevance: .2, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9e86792bf0f6aa99b1ef3cbcc9af8d4410704d5ef13bbf9e20f386554c7252f
                                                            • Instruction ID: 68d0e4e3cc4d916081f2cb8d459cbf2381d0c9899636a58d062353d91baba1f1
                                                            • Opcode Fuzzy Hash: f9e86792bf0f6aa99b1ef3cbcc9af8d4410704d5ef13bbf9e20f386554c7252f
                                                            • Instruction Fuzzy Hash: 74812F30B0121A8FDF94DFA9D45076EBBF2AF89710F108529E80AEB354DB75DC468B51
                                                            Function 06D642B0 Relevance: .2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e18340a4df8be67caefaa3386ec5169584c2eef054dda72c6c4ff8c9a3a5192c
                                                            • Instruction ID: eb68cfe876edf1c22ce00990dc90fe3623e609ed6f2daab9507d28d28cb1105b
                                                            • Opcode Fuzzy Hash: e18340a4df8be67caefaa3386ec5169584c2eef054dda72c6c4ff8c9a3a5192c
                                                            • Instruction Fuzzy Hash: 58813030B0121A8BDF94DFA9D45076EBBF2EF89710F108529E80AEB354DB75DC468B91
                                                            Function 06D645C4 Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 25d9b46b60867e4110ca34435a82a3dbc997bd70ac8b2479ea6d09ad0d414e3c
                                                            • Instruction ID: d7a267ae3aa2c4e4968061036b165484bdd475503df30447c679ded0ffcdb958
                                                            • Opcode Fuzzy Hash: 25d9b46b60867e4110ca34435a82a3dbc997bd70ac8b2479ea6d09ad0d414e3c
                                                            • Instruction Fuzzy Hash: C6915D30E0061A8BDF60DF68C890B9DB7B1FF89310F20C699D549AB395DB71A985CF91
                                                            Function 06D645D8 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a0e8bd48802e68be070a605408ed0410c1e9cf454a719ea77034bd419e2675db
                                                            • Instruction ID: 55e712b0e11f75ed8e808ec39facfc27a79365ba6bd152d3ed7ce86985c39dc9
                                                            • Opcode Fuzzy Hash: a0e8bd48802e68be070a605408ed0410c1e9cf454a719ea77034bd419e2675db
                                                            • Instruction Fuzzy Hash: 5F914C30E1061A8BDF60DF65C890B9DB7B1FF89310F20C699D509AB394DB71A985CF91
                                                            Function 06D6EB28 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e4ce8569dd456546acc89ed1ed737d1f7f643c106bc13c05f741b92bae6d2d7
                                                            • Instruction ID: a3e4bbb63387fda7d965119b06b4475dd31284f0695468484adf66e6fe1dcf47
                                                            • Opcode Fuzzy Hash: 6e4ce8569dd456546acc89ed1ed737d1f7f643c106bc13c05f741b92bae6d2d7
                                                            • Instruction Fuzzy Hash: D471F934A002099FDB94DBA9D990A9EBBF6FFC4300F148529E41AEB354DB31ED46CB51
                                                            Function 06D6EB27 Relevance: .2, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6fe41ef9d6583f6eb29ecf919c776d74e16112166c106044355ff92ae4d8f25d
                                                            • Instruction ID: 46d1e6c98499393646bbf767f29761c5759c9ce5b323aa19e0edacd215ec60fe
                                                            • Opcode Fuzzy Hash: 6fe41ef9d6583f6eb29ecf919c776d74e16112166c106044355ff92ae4d8f25d
                                                            • Instruction Fuzzy Hash: BE711A74A002099FDB94DBA9D990A9EBBF6FFC4300F148529E40AEB254DB31EC46CB50
                                                            Function 06D64B70 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ee95444744d8c20f3a58e16b82e05f271f857ce3d048b8cc8faa003df91beb8
                                                            • Instruction ID: 6bc260f90a48af8041ddadff2d0395f39831c3876741c6a61f1a27b808d2aad1
                                                            • Opcode Fuzzy Hash: 5ee95444744d8c20f3a58e16b82e05f271f857ce3d048b8cc8faa003df91beb8
                                                            • Instruction Fuzzy Hash: A9617370F002099FEB959FA5C8147AEBBF6FBC8740F208529E506AB391DE754C458F90
                                                            Function 06D6FBC8 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fdc21218d2a85c5de633090d5ceb1f3e28118881e039b3bbc85629f898bef6a4
                                                            • Instruction ID: a2b5dfefca0edec5d2897b1afe0b1a18912d18673ca40ee135fe79171797ba1c
                                                            • Opcode Fuzzy Hash: fdc21218d2a85c5de633090d5ceb1f3e28118881e039b3bbc85629f898bef6a4
                                                            • Instruction Fuzzy Hash: B551E031E00605CFDB54EFB9F8846ADBBB3FB84311F11886AE506DB250DB359854CB80
                                                            Function 06D655A0 Relevance: .2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61fae5a33a9b1ae2cbf8d69867355e9a8234df51bf6e399ad007160e248f1042
                                                            • Instruction ID: 8206dea3a670ceab789a0302e4a768e16d8727db8521dabc811454a263a02f21
                                                            • Opcode Fuzzy Hash: 61fae5a33a9b1ae2cbf8d69867355e9a8234df51bf6e399ad007160e248f1042
                                                            • Instruction Fuzzy Hash: 26516274E001068FDF64CB9AE480A7EF7B1EB85311F248926E556DB281C635D8C2CB91
                                                            Function 06D6F96B Relevance: .2, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 334a13d0dcbf5594625e142e9d46eac2bd639afd737df84d110e8bb971f85df4
                                                            • Instruction ID: 0c6c0bb0569728192604f1b21a7e3237dbb28edd0baae351a111ce6c98f87044
                                                            • Opcode Fuzzy Hash: 334a13d0dcbf5594625e142e9d46eac2bd639afd737df84d110e8bb971f85df4
                                                            • Instruction Fuzzy Hash: BC519F70B206059BEF609BBDE854B2E6A5BE7C9711F20442AF00BD7791CA7DCC4193A2
                                                            Function 06D69153 Relevance: .2, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 805bfab68d14e539921d1a8f54a7f6293b2d3a68795250a6ecd0ac7a2e1cb79d
                                                            • Instruction ID: 7acf10c4c012f285eeeff21d91638f3102530f371f5ba42631962882b216db11
                                                            • Opcode Fuzzy Hash: 805bfab68d14e539921d1a8f54a7f6293b2d3a68795250a6ecd0ac7a2e1cb79d
                                                            • Instruction Fuzzy Hash: CE515030B0120A9FDB94DF65D860B6EB7F6EFC8200F108569D80AEB354EA35DD018F90
                                                            Function 06D6F978 Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7227959b75afa92800e9afaacc052dbe2184c7568999004f20c8aaacd23ec033
                                                            • Instruction ID: e89cfbc1710bd7bc0c46b6c1b3d9cc7a21cfd0de6d7a4a782b927a0ad47395bf
                                                            • Opcode Fuzzy Hash: 7227959b75afa92800e9afaacc052dbe2184c7568999004f20c8aaacd23ec033
                                                            • Instruction Fuzzy Hash: E9519D70B202049BEF609BBDE854B2E6A5BE7C9711F20443AF00BD7790CE79CC4193A2
                                                            Function 06D6C7D8 Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6e92f2ff119e06fec387c01f99f234d3011ccc897b67d7968198a01cadcbac8
                                                            • Instruction ID: 1aff81ba44d1405ffbe57d18cf915954762870588274b0ce2de37c154b5158e0
                                                            • Opcode Fuzzy Hash: e6e92f2ff119e06fec387c01f99f234d3011ccc897b67d7968198a01cadcbac8
                                                            • Instruction Fuzzy Hash: AD515E30B10319CFDB54EB69D490A9EBBB2FBC8315B108569E846EB354DB35EC06CB91
                                                            Function 06D64B63 Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5c37dfae50b5bc20ae5aa99b21f85e348bbae84508acdb6f6d8cbbf1bfac131
                                                            • Instruction ID: af2d89d1c3e256d958facb099163e6a8070cb2210805ddcae15371f9a385c19b
                                                            • Opcode Fuzzy Hash: f5c37dfae50b5bc20ae5aa99b21f85e348bbae84508acdb6f6d8cbbf1bfac131
                                                            • Instruction Fuzzy Hash: B1419170F002099FEB449FA5C814B9EBAF6FFC8700F20852AE506AB394DE759C05CB90
                                                            Function 06D65428 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8542ac9bb6081b4b7e959f9d4999fbe3fc5d3364f02b50395876969dcc1f770a
                                                            • Instruction ID: 23d73f90cc5efe016cd0dbe2be2f7cb06b30c8c6de30c7fe9cc12cead818d24e
                                                            • Opcode Fuzzy Hash: 8542ac9bb6081b4b7e959f9d4999fbe3fc5d3364f02b50395876969dcc1f770a
                                                            • Instruction Fuzzy Hash: 0B413071E0060A8FDF70CF9AE8806AFF7B6FB88310F10492AE116D7650D771E9958B91
                                                            Function 06D6DAD0 Relevance: .1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e713f78cf31a50b4b068bd96ed63a0e06b34ae1f3594ac149e72a7f4c3f8638c
                                                            • Instruction ID: 61a8f52a7d8666a46b378ea74dbc62312939cbc89a3096ffa6630e0445e80b77
                                                            • Opcode Fuzzy Hash: e713f78cf31a50b4b068bd96ed63a0e06b34ae1f3594ac149e72a7f4c3f8638c
                                                            • Instruction Fuzzy Hash: 87416E70F0030ADFDB65DF6AE49469EBBB2BF85700F204429E806EB244DB71D845CB81
                                                            Function 06D6DACD Relevance: .1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 98cf83e46d8309e1ac4e098a7fe57b218319f0b68b85c11651cc1cd01b944f0b
                                                            • Instruction ID: 8eda30e006e5341625a2cf0c660c70be089e7dbcf5f4e95ad93a69d3a922684b
                                                            • Opcode Fuzzy Hash: 98cf83e46d8309e1ac4e098a7fe57b218319f0b68b85c11651cc1cd01b944f0b
                                                            • Instruction Fuzzy Hash: 23416D70F0031A9FDB65DF6AE59469EBBB2BF85200F104529E806EB244EB70D845CB81
                                                            Function 06D621C8 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36f4e86a050cc2d391ed6a30f0ef46997d91d41f26692e4dcd2d96a51923090f
                                                            • Instruction ID: 1a6c78656f8675539f7defae690cd6ae8596990814c8a9378a9dff277c63fa2b
                                                            • Opcode Fuzzy Hash: 36f4e86a050cc2d391ed6a30f0ef46997d91d41f26692e4dcd2d96a51923090f
                                                            • Instruction Fuzzy Hash: 6131AD30B0020A8FDBA99B76D45476E7BE2BB89710F248529E806EB394DF35CD05CB91
                                                            Function 06D621BB Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 979097da1efd51fe3cc462d5e21a6d221fcbce8f261ed268011f8f6d7823037d
                                                            • Instruction ID: 6ae44af93ce198c2e81a60edf1a28610cf6f79f3c88a4f9fbee96e2f0be6f7c6
                                                            • Opcode Fuzzy Hash: 979097da1efd51fe3cc462d5e21a6d221fcbce8f261ed268011f8f6d7823037d
                                                            • Instruction Fuzzy Hash: 7531E330B002068FDBA59F75D45466E7BF2BB89710F108528E806DB390DF35CD05CB91
                                                            Function 06D6FBC7 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f129e1c4901e6bba84a2070118d6b8c0e7a6eebeed00345776fe40950a488eda
                                                            • Instruction ID: cea093c14db86e3d9990a1671484b24b2daeafa276f9845b6bc7bb02f378fbf7
                                                            • Opcode Fuzzy Hash: f129e1c4901e6bba84a2070118d6b8c0e7a6eebeed00345776fe40950a488eda
                                                            • Instruction Fuzzy Hash: 6531DE32A00605CBCB58ABB8F8442ADBBB3FF84205F118879E50ADB251DF369865C790
                                                            Function 06D6207B Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22543a83df76ee1e1356c7b04b5a95908391aa09c5318601d5b6862896fd5f4d
                                                            • Instruction ID: a9593675a3330287efed3a8931d031bf2f44d3a4efe566b9c78dd8ede4cf3310
                                                            • Opcode Fuzzy Hash: 22543a83df76ee1e1356c7b04b5a95908391aa09c5318601d5b6862896fd5f4d
                                                            • Instruction Fuzzy Hash: 91318D30E102169FDB45CFA5D89469EBBB2FF89304F108429F906EB351DB75AD82CB90
                                                            Function 06D6D977 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 25f8978506ad60c4968c4d6c87364f87f291d8df73aa8db3a4ae6f023377af45
                                                            • Instruction ID: c759f5ee400afc3f0eeea7950c947632c2554855efd4718c46b1bfac71fb00a4
                                                            • Opcode Fuzzy Hash: 25f8978506ad60c4968c4d6c87364f87f291d8df73aa8db3a4ae6f023377af45
                                                            • Instruction Fuzzy Hash: A0318330F1431A8BDF55DF69D89069EBBB2FF85204F148929E805EB304EB74E9468B91
                                                            Function 06D6D980 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 131ca212fdd8c61381210f2e961a09e4d433814279fd67e124065e03e28fddb8
                                                            • Instruction ID: 76fa3243304272d2627c0819664a55d09f6278f502d3d842be334f35115ac8ce
                                                            • Opcode Fuzzy Hash: 131ca212fdd8c61381210f2e961a09e4d433814279fd67e124065e03e28fddb8
                                                            • Instruction Fuzzy Hash: 3931B430E1431A8BDF14DF69D880A9EBBB2FF84304F108529E805EB304EB70E945CB81
                                                            Function 06D62088 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 492c9381790be19f247b633a16cfb15954b763e261a4b06fae51b10c4d2753b5
                                                            • Instruction ID: 3585bc5f4a0a973bd949a06616980ac6ed0e73bfe2d5c121b1520490058976f2
                                                            • Opcode Fuzzy Hash: 492c9381790be19f247b633a16cfb15954b763e261a4b06fae51b10c4d2753b5
                                                            • Instruction Fuzzy Hash: 28318F34E106169FCB54CFA5D89469EBBB2FF89300F108529F906EB350DB75AD82CB80
                                                            Function 06D63AA1 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f8ae7165fd6a999b43ddc7f8bd63219c00ff43db2f454bf685a359205d06c84
                                                            • Instruction ID: 8cb379b84fb01db508831e3d368bdb67e0b2ceb375350a01f21943a4a641894d
                                                            • Opcode Fuzzy Hash: 1f8ae7165fd6a999b43ddc7f8bd63219c00ff43db2f454bf685a359205d06c84
                                                            • Instruction Fuzzy Hash: BE215A71F016199FDB40CF6DE881AAEBBF5EB48710F118025E905E7381E739DD418B94
                                                            Function 06D63AB0 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 628219eaa758f0d8087a47afc58092c5fa2c2d5652dddf6de4c82236e8fae4aa
                                                            • Instruction ID: 765b9dffe1347e8b4deedc217674ebbf197435355bcb1a08b74ae1bec1f93677
                                                            • Opcode Fuzzy Hash: 628219eaa758f0d8087a47afc58092c5fa2c2d5652dddf6de4c82236e8fae4aa
                                                            • Instruction Fuzzy Hash: C4212A75F01619DFDB50CFAED880AAEB7F5EB48710F158029E905E7241E739DC418B94
                                                            Function 0156D006 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3894632577.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_156d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c75ab2bf0666c4dd96f55eb14b4bfb0b8ca24186ad2696024bb0ecd04c000da6
                                                            • Instruction ID: 2c70796b9469e08eb494d9a1a30dd517b37ca10acd4615f2882f195a4d0ceb9b
                                                            • Opcode Fuzzy Hash: c75ab2bf0666c4dd96f55eb14b4bfb0b8ca24186ad2696024bb0ecd04c000da6
                                                            • Instruction Fuzzy Hash: B0214D755093C09FC703CB64D9A0715BF75AB46224F29C5DBD8858F2A7D23A980ACB62
                                                            Function 0156D030 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3894632577.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_156d000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 528779969379824301d825ccd00fd6f59d6917c8bc2c7d7d3d440c34be1a953a
                                                            • Instruction ID: 59c729c4692fd8410e4aa4447c18e87cdc2d6c556a36e72416f637e02d163fa9
                                                            • Opcode Fuzzy Hash: 528779969379824301d825ccd00fd6f59d6917c8bc2c7d7d3d440c34be1a953a
                                                            • Instruction Fuzzy Hash: 33210075608304DFDB11DF54D980B26BBB9FB84324F20CA6DD8894F282D37AD446CBA2
                                                            Function 06D66D13 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01213a01a7d7760d909c062a18a110c3fe38392f37a532fb78f534a2744d867e
                                                            • Instruction ID: 1554c475602da00e23d0a9c1062f535316fab50313c4563bf85f6eefa0603322
                                                            • Opcode Fuzzy Hash: 01213a01a7d7760d909c062a18a110c3fe38392f37a532fb78f534a2744d867e
                                                            • Instruction Fuzzy Hash: 8D21A230B001199BDF94EB6AE95479EB7B6EFC4350F248429E805E7340DB36ED418B91
                                                            Function 06D63060 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cecc7964e2336732c860697c0644738df63f7d28c99357d583dccaafb0fdb3db
                                                            • Instruction ID: e8b24862bf32732a50b6edc145107a75d752614735c789a3b53caa1d44a81c19
                                                            • Opcode Fuzzy Hash: cecc7964e2336732c860697c0644738df63f7d28c99357d583dccaafb0fdb3db
                                                            • Instruction Fuzzy Hash: 50118E71E002299BCF54DB6AD8805DEF7B5FFC9310F11956AE50AEB200DA31D944CB90
                                                            Function 06D63BC0 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92a88e06d62d6f3c67fd698b6aeea77c21b4ede9d7df4eb02942f23e86f798e3
                                                            • Instruction ID: 785c04644bdb889fc25bfe0ec38b7975fa092d2008bd27ba08a4f8d0bf1b2426
                                                            • Opcode Fuzzy Hash: 92a88e06d62d6f3c67fd698b6aeea77c21b4ede9d7df4eb02942f23e86f798e3
                                                            • Instruction Fuzzy Hash: 2E116135B145298FDB949B69D8146AE7BBAEBC8350F018539E80BE7340EE35DC028BD1
                                                            Function 06D6420B Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11f75e3ca745c31590e1bbf15abab2c12fe172c50040841cee6fc6e75f17f81d
                                                            • Instruction ID: b2d0ef93a2f5d451c6676478e1a81b8686794d768ae538e4be0cdd1b594f63e1
                                                            • Opcode Fuzzy Hash: 11f75e3ca745c31590e1bbf15abab2c12fe172c50040841cee6fc6e75f17f81d
                                                            • Instruction Fuzzy Hash: 37018B31B101210BDBA096AED454B2FB7EAEBC9A50F20883AF50AD7344ED25DC424391
                                                            Function 06D64210 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52475d884dfd1706ff7c384e22cfdd2f9dd1cae68e57402ac266e794a3d39c22
                                                            • Instruction ID: 37cd4e4b66a15f934468973b6fd9227d2e479f44e6b81c92b8b21db41f8e869f
                                                            • Opcode Fuzzy Hash: 52475d884dfd1706ff7c384e22cfdd2f9dd1cae68e57402ac266e794a3d39c22
                                                            • Instruction Fuzzy Hash: E6014B31B101214BDBA496AE9454B2FB7DAEBC9A50F20843AF50AD7344ED65DC424391
                                                            Function 06D66D0B Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec63ed4181b28f03a7476d0a5a0d639a51e9b61a12745aeaaa18c84be7d6e2e6
                                                            • Instruction ID: 4f80d2667139ec9f2beb08af781d2f08104ac9942fd50a7a7dfa4224e4bc279e
                                                            • Opcode Fuzzy Hash: ec63ed4181b28f03a7476d0a5a0d639a51e9b61a12745aeaaa18c84be7d6e2e6
                                                            • Instruction Fuzzy Hash: 3A11C430B001498FDF94EB6AE95479DB7B2EF84364F258468E805EB281D736ED418B80
                                                            Function 06D63BB7 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f398497bdd3a40dbb59bc11231a6f0a1e12ec0247f1244594b0ea076ed71610c
                                                            • Instruction ID: 751c46070aa56f609409a4f1b072e0914b48ad2ee85e1ed5a4de9cf780ebbb83
                                                            • Opcode Fuzzy Hash: f398497bdd3a40dbb59bc11231a6f0a1e12ec0247f1244594b0ea076ed71610c
                                                            • Instruction Fuzzy Hash: 6501A232B100288BDB948669EC147EF37AADBC8350F01413AE40AE3280EE25CC0247D1
                                                            Function 06D6A313 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa90621a0fd88f7a4d30fa9baf5879d91c6ccad1abbd2ce439776a480b9e9f25
                                                            • Instruction ID: 20d4777d55c9835c408fe6131a1797d10b81424468d10a018240f03f9ae48814
                                                            • Opcode Fuzzy Hash: aa90621a0fd88f7a4d30fa9baf5879d91c6ccad1abbd2ce439776a480b9e9f25
                                                            • Instruction Fuzzy Hash: F001A231B101154BDB50DBB9E85572EB7E5EB8A654F144839F54AE7380EA19DC018781
                                                            Function 06D6EDA8 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f7ada15f853555da63e548293d8066c0acca525266bc1de5b5d9f7f7605c205
                                                            • Instruction ID: 47f0b1a084f523c1acad4a8a2509538b5c69d4e8fd490b91348fa45052bb9a3c
                                                            • Opcode Fuzzy Hash: 3f7ada15f853555da63e548293d8066c0acca525266bc1de5b5d9f7f7605c205
                                                            • Instruction Fuzzy Hash: BE01AF35B141118BDBA5DA7EA45472FB7DAEBC9A21F10883AF50EC7341EE66DC0247C1
                                                            Function 06D6EDA7 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a59b3c07c5c48491531869efcf5ec625d340561f9707d639d375a3c165f24a4
                                                            • Instruction ID: d6c6a434897b56dce5cc938916a4668dbd1214c6ecc3ebbd0ff435ff87484d99
                                                            • Opcode Fuzzy Hash: 9a59b3c07c5c48491531869efcf5ec625d340561f9707d639d375a3c165f24a4
                                                            • Instruction Fuzzy Hash: 6701FF39F140118BDBA1DABDA45472EB3D6EBC9611F10883AF10ED7340EE65DC024781
                                                            Function 06D6A320 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dab2ecbec3c0d829b22a212f6279636fa87a5a51b38091c1123fbcea1d5be33a
                                                            • Instruction ID: 3214861e9c0ee9fbbb8692c1798919c62780924f4bb6dfbe9ef29583c1a19a27
                                                            • Opcode Fuzzy Hash: dab2ecbec3c0d829b22a212f6279636fa87a5a51b38091c1123fbcea1d5be33a
                                                            • Instruction Fuzzy Hash: D7018130B101158BDB90DBBDE45472E77E5EBCA650F148839F54AE7390EA29DC018781
                                                            Function 06D682D0 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32a203f6a78a003c9eb163bf10e48573265b45ac659b23820fc1287f74d4e679
                                                            • Instruction ID: 7e1033c04359201dac04e0e22497caa8060b107055dd3b2eb56e05ba8085b971
                                                            • Opcode Fuzzy Hash: 32a203f6a78a003c9eb163bf10e48573265b45ac659b23820fc1287f74d4e679
                                                            • Instruction Fuzzy Hash: 50F0AF31B00215DFEFA49F9AE99066CB3B5EB84350F144076F905DB254D739DE02E7A1
                                                            Function 06D6C7D3 Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31e1ad7522b1dc6fa146936418377b9615e2d0ad4fc837d91c4beca73becc45c
                                                            • Instruction ID: 48a48d1351d549d453c4d33b63ccc70df10fee40fa83c032b0d6a02a00d3bd22
                                                            • Opcode Fuzzy Hash: 31e1ad7522b1dc6fa146936418377b9615e2d0ad4fc837d91c4beca73becc45c
                                                            • Instruction Fuzzy Hash: 07F08232E20224A7DB546A66EC45A9AB73AF794259F004536E941F7240D675A80487D0
                                                            Function 06D66470 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 133edd55a213054e9c96f3a543676fec48c7d98a442a47e177529e28ea66ff55
                                                            • Instruction ID: 2dc0864692e2ef3e868b573a7ea718929c51ba5a5a7cfe631cef8098196aed64
                                                            • Opcode Fuzzy Hash: 133edd55a213054e9c96f3a543676fec48c7d98a442a47e177529e28ea66ff55
                                                            • Instruction Fuzzy Hash: 54E0D871E182886FEF50CFB1CD6274A7BACD705205F1148A5E804C7142E176EE058351
                                                            Function 06D66480 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.3901465771.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_6_2_6d60000_ship's particulars-TBN.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                            • Instruction ID: e35a5086820582aef4aca4646458d5a5ba7a4bf1abdccf2e64b5a022044d9c37
                                                            • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                            • Instruction Fuzzy Hash: CAE02B70E1410CABDF50CFB2CA5575F73ADD705214F2089A4F408C7201E1B3EE018391